Method, Device, and System of Detecting Mule Accounts and Accounts used for Money Laundering

ABSTRACT

Method, device, and system of detecting a mule bank account, or a bank account used for terror funding or money laundering. A method includes: monitoring interactions of a user with a computing device during online access with a bank account; and based on the monitoring, determining that the bank account is utilized as a mule bank account to illegally receive and transfer money, or is used for money laundering or terror funding. The method takes into account one or more indicators, such as, utilization of a remote access channel, utilization of a virtual machine or a proxy server, unique behavior across multiple different accounts, temporal correlation among operations, detection of a set of operations that follow a pre-defined mule account playbook, detection of multiple incoming fund transfers from multiple countries that are followed by a single outgoing fund transfer to a different country, and other indicators.

CROSS-REFERENCE TO RELATED APPLICATIONS

This patent application is a Continuation of U.S. Ser. No. 17/549,931,filed on Dec. 14, 2021, which is hereby incorporated by reference in itsentirety.

The above-mentioned U.S. Ser. No. 17/549,931 is a Continuation of U.S.Ser. No. 16/872,381, filed on May 12, 2020, now U.S. Pat. No. 11,210,674(issued on Dec. 28, 2021), which is hereby incorporated by reference inits entirety.

The above-mentioned U.S. Ser. No. 16/872,381 is a Continuation of U.S.Ser. No. 16/242,015, filed on Jan. 8, 2019, now U.S. Pat. No. 10,685,355(issued on Jun. 16, 2020), which is hereby incorporated by reference inits entirety.

The above-mentioned U.S. Ser. No. 16/242,015 claims benefit and priorityfrom U.S. 62/621,600, filed on Jan. 25, 2018, which is herebyincorporated by reference in its entirety.

The above-mentioned U.S. Ser. No. 16/242,015 is a Continuation-in-Part(CIP) of U.S. Ser. No. 16/057,825, filed on Aug. 8, 2018, now U.S. Pat.No. 10,523,680 (issued on Dec. 31, 2019), which is hereby incorporatedby reference in its entirety; which is a Continuation of U.S. Ser. No.15/203,817, filed on Jul. 7, 2016, now U.S. Pat. No. 10,069,837 (issuedon Sep. 4, 2018), which is hereby incorporated by reference in itsentirety; which claims priority and benefit from U.S. 62/190,264, filedon Jul. 9, 2015, which is hereby incorporated by reference in itsentirety.

The above-mentioned U.S. Ser. No. 16/242,015 is also aContinuation-in-Part (CIP) of U.S. Ser. No. 15/885,819, filed on Feb. 1,2018, now U.S. Pat. No. 10,834,590 (issued on Nov. 10, 2020), which ishereby incorporated by reference in its entirety.

The above-mentioned U.S. Ser. No. 15/885,819 is a Continuation-in-Part(CIP) of U.S. Ser. No. 14/675,764, filed on Apr. 1, 2015, now abandoned,which is hereby incorporated by reference in its entirety.

The above-mentioned U.S. Ser. No. 14/675,764 claims priority and benefitfrom U.S. 61/973,855, filed on Apr. 2, 2014, which is herebyincorporated by reference in its entirety.

The above-mentioned U.S. Ser. No. 14/675,764 is a Continuation-in-Part(CIP) of U.S. Ser. No. 14/566,723, filed on Dec. 11, 2014, now U.S. Pat.No. 9,071,969 (issued on Jun. 30, 2015); which is a Continuation of U.S.Ser. No. 13/922,271, filed on Jun. 20, 2013, now U.S. Pat. No. 8,938,787(issued on Jan. 20, 2015); which is a Continuation-in-Part (CIP) of U.S.Ser. No. 13/877,676, filed on Apr. 4, 2013, now U.S. Pat. No. 9,069,942(issued on Jun. 30, 2015); which is a National Stage of PCTInternational Application number PCT/IL2011/000907, having anInternational Filing Date of Nov. 29, 2011; which claims priority andbenefit from U.S. 61/417,479, filed on Nov. 29, 2010; all of which arehereby incorporated by reference in their entirety.

The above-mentioned U.S. Ser. No. 14/675,764 is a Continuation-in-Part(CIP) of U.S. Ser. No. 14/320,653, filed on Jul. 1, 2014, now U.S. Pat.No. 9,275,337 (issued on Mar. 1, 2016); which claims priority andbenefit from U.S. 61/843,915, filed on Jul. 9, 2013; all of which arehereby incorporated by reference in their entirety.

The above-mentioned U.S. Ser. No. 14/675,764 is a Continuation-in-Part(CIP) of U.S. Ser. No. 14/320,656, filed on Jul. 1, 2014, now U.S. Pat.No. 9,665,703 (issued on May 30, 2017); which claims priority andbenefit from U.S. 61/843,915, filed on Jul. 9, 2013; all of which arehereby incorporated by reference in their entirety.

The above-mentioned U.S. Ser. No. 14/675,764 is a Continuation-in-Part(CIP) of U.S. Ser. No. 14/325,393, filed on Jul. 8, 2014, now U.S. Pat.No. 9,531,733 (issued on Dec. 27, 2016); which claims priority andbenefit from U.S. 61/843,915, filed on Jul. 9, 2013; all of which arehereby incorporated by reference in their entirety.

The above-mentioned U.S. Ser. No. 14/675,764 is a Continuation-in-Part(CIP) of U.S. Ser. No. 14/325,394, filed on Jul. 8, 2014, now U.S. Pat.No. 9,547,766 (issued on Jan. 17, 2017); which claims priority andbenefit from U.S. 61/843,915, filed on Jul. 9, 2013; all of which arehereby incorporated by reference in their entirety.

The above-mentioned U.S. Ser. No. 14/675,764 is a Continuation-in-Part(CIP) of U.S. Ser. No. 14/325,395, filed on Jul. 8, 2014, now U.S. Pat.No. 9,621,567 (issued on Apr. 11, 2017); which claims priority andbenefit from U.S. 61/843,915, filed on Jul. 9, 2013; all of which arehereby incorporated by reference in their entirety.

The above-mentioned U.S. Ser. No. 14/675,764 is a Continuation-in-Part(CIP) of U.S. Ser. No. 14/325,396, filed on Jul. 8, 2014, now abandoned;which claims priority and benefit from U.S. 61/843,915, filed on Jul. 9,2013; all of which are hereby incorporated by reference in theirentirety.

The above-mentioned U.S. Ser. No. 14/675,764 is a Continuation-in-Part(CIP) of U.S. Ser. No. 14/325,397, filed on Jul. 8, 2014, now U.S. Pat.No. 9,450,971 (issued on Sep. 20, 2016); which claims priority andbenefit from U.S. 61/843,915, filed on Jul. 9, 2013; all of which arehereby incorporated by reference in their entirety.

The above-mentioned U.S. Ser. No. 14/675,764 is a Continuation-in-Part(CIP) of U.S. Ser. No. 14/325,398, filed on Jul. 8, 2014, now U.S. Pat.No. 9,477,826 (issued on Oct. 25, 2016); which claims priority andbenefit from U.S. 61/843,915, filed on Jul. 9, 2013; all of which arehereby incorporated by reference in their entirety.

The above-mentioned U.S. Ser. No. 16/242,015 is also aContinuation-in-Part (CIP) of U.S. Ser. No. 15/368,608, filed on Dec. 4,2016, now U.S. Pat. No. 10,949,757 (issued on Mar. 16, 2021), which ishereby incorporated by reference in its entirety.

The above-mentioned U.S. Ser. No. 15/368,608 is a Continuation-in-Part(CIP) of U.S. Ser. No. 15/001,259, filed on Jan. 20, 2016, now U.S. Pat.No. 9,541,995 (issued on Jan. 10, 2017); which is a Continuation of U.S.Ser. No. 14/320,653, filed on Jul. 1, 2014, now U.S. Pat. No. 9,275,337(issued on Mar. 1, 2016); all of which are hereby incorporated byreference in their entirety.

The above-mentioned U.S. Ser. No. 14/320,653 claims priority and benefitfrom U.S. 61/843,915, filed on Jul. 9, 2013, which is herebyincorporated by reference in its entirety.

The above-mentioned U.S. Ser. No. 14/320,653 is also aContinuation-in-Part (CIP) of U.S. Ser. No. 13/922,271, filed on Jun.20, 2013, now U.S. Pat. No. 8,938,787 (issued on Jan. 20, 2015), whichis hereby incorporated by reference in its entirety.

The above-mentioned U.S. Ser. No. 14/320,653 is also aContinuation-in-Part (CIP) of U.S. Ser. No. 13/877,676, filed on Apr. 4,2013, now U.S. Pat. No. 9,069,942 (issued on Jun. 30, 2015); which is aNational Stage of PCT International Application numberPCT/IL2011/000907, filed on Nov. 29, 2011; which claims priority andbenefit from U.S. 61/417,479, filed on Nov. 29, 2010; and all of theabove-mentioned patent applications are hereby incorporated by referencein their entirety.

The above-mentioned Ser. No. 15/368,608 is also a Continuation-in-Part(CIP) of U.S. Ser. No. 14/727,873, filed on Jun. 2, 2015, now U.S. Pat.No. 9,526,006 (issued on Dec. 20, 2016), which is hereby incorporated byreference in its entirety.

The above-mentioned Ser. No. 15/368,608 is also a Continuation-in-Part(CIP) of U.S. Ser. No. 15/360,291, filed on Nov. 23, 2016, now U.S. Pat.No. 9,747,436 (issued on Aug. 29, 2017); which is a Continuation-in-Part(CIP) of U.S. Ser. No. 14/718,096, filed on May 21, 2015, now U.S. Pat.No. 9,531,701 (issued on Dec. 27, 2016); which is a Continuation-in-Part(CIP) of U.S. Ser. No. 14/675,768, filed on Apr. 1, 2015, now U.S. Pat.No. 9,418,221 (issued on Aug. 16, 2016); which is a Continuation-in-Partof the above-mentioned U.S. Ser. No. 14/566,723, filed on Dec. 11, 2014,now U.S. Pat. No. 9,071,969 (issued on Jun. 30, 2015); all of which arehereby incorporated by reference in their entirety.

FIELD

The present invention is related to the security of electronic devicesand systems.

BACKGROUND

Millions of people utilize mobile and non-mobile electronic devices,such as smartphones, tablets, laptop computers and desktop computers, inorder to perform various activities. Such activities may include, forexample, browsing the Internet, sending and receiving electronic mail(email) messages, taking photographs and videos, engaging in a videoconference or a chat session, playing games, or the like.

Some activities may be privileged, or may require authentication of theuser in order to ensure that only the authorized user engages in theactivity. For example, a user may be required to correctly enter hisusername and his password in order to access his email account, or inorder to access his online banking interface or website.

SUMMARY

The present invention may include, for example, systems, devices, andmethods for detecting the identity of a user of an electronic device orsystem; for determining whether or not an electronic device or system isbeing used by a fraudulent user (or an attacker) or by a legitimateuser; for determining whether or not an electronic device or system isbeing utilized for an illegal activity or illegitimate activity orfraudulent activity, or for money laundering purposes (e.g., through orvia a “mule” bank account) or for tax evasion purposes or for terrorfunding purposes, or for funding of terrorist activity or for funding ofillegal activity or criminal activity; for differentiating among usersof a computerized service or among users of an electronic device; and/orfor detecting that a user of an electronic device or electronic systemis currently performing, or has recently or previously performed, onlineinteractions that indicate that a fraudulent activity or moneylaundering activity is attempted or is being performed or has beenperformed.

The present invention may provide other and/or additional benefits oradvantages.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic block-diagram illustration of a system, inaccordance with some demonstrative embodiments of the present invention.

DETAILED DESCRIPTION OF SOME EMBODIMENTS OF THE PRESENT INVENTION

The Applicants have realized that some cyber-attackers or criminals, orpersons that are involved in online theft or money laundering or taxevasion, may utilize a “mule bank account” or a “money-in, money-out”bank account as a temporary tool for illegally or fraudulentlychanneling money.

For example, user Adam has a bank account at First-Bank. His log-incredentials (username, password) are stolen by cyber-attacker Mallory,who then logs-in to the bank account of Adam using the stolencredentials. Attacker Mallory poses as the user Adam, and performs awire transfer from Adam's bank account into an external bank account,owned formally by user Bob, either at the same institution (First-Bank)or at another institution (Second-Bank). Attacker Mallory then logs-outfrom the bank account of the victim (user Adam). Later, such as a fewhours later or a few days later, once the wire transfer was indeedperformed, attacker Mallory logs-in to the recipient bank account,namely to Bob's bank account; which is actually controlled and/or ownedby attacker Mallory or by someone else on her behalf; and attackerMallory performs an online wire transfer from the Bob bank account,towards another bank account that is owned by Carl and is controlled orowned by attacker Mallory (or, in another scenario, directly towards aretailer bank account from which Mallory purchases goods or services forher benefit).

In this scenario, the bank account owned by user Adam is the victim'sbank account; the bank account that is formally owned by Bob is the“mule” bank account, and is the immediate or direct recipients of thefunds from the victim's bank account; and the bank account that isformally owned by Carl is the “real destination” bank account”, fromwhich the attacker Mallory can withdraw the stolen funds or otherwiseuse the stolen funds. The “mule” bank account of Bob is utilized,directly or indirectly, by the attacker Mallory as an intermediate bankaccount, to channel the funds through it from the victim's account tothe real destination. Utilization of a “mule” bank account may be donefor various purposes; for example, to make it more difficult for thebank(s) and/or for law enforcement to track or trace the exact passageof stolen money. Additionally or alternatively, it may facilitate thetheft due to geographic considerations or due to banking-relatedconsiderations; for example, both the Victim bank account and the Mulebank account are at the same banking institution, and thus the transferfrom the Victim account to the Mule account is completed faster and/oris approved faster and/or requires a reduced security level, whereas theReal Destination bank account is at a different banking institutionand/or in a foreign country (and thus transfers to it may take more timeto complete, and/or may require an increased level of security).

The Applicants have realized that a computerized system may be built andtrained to identify signals or signs that indicate that a particularbank account, such as Bob's bank account in the above example, are a“mule” bank account; and to generate a fraud alert signal, and/or totrigger increased scrutiny of such account, and/or to trigger increasedscrutiny of transaction(s) in such account, and/or to block or put a“hold” on a transaction into or from such account, and/or to require theaccount owner (Bob) to contact customer service telephonically orphysically as additional security measure(s).

Reference is made to FIG. 1 , which is a schematic block-diagramillustration of a system 100, in accordance with some demonstrativeembodiments of the present invention. System 100 may comprise, forexample, an end-user device 110 able to communicate with a server 150 ofa computerized service.

As non-limiting examples, end-user device 110 may be a laptop computer,a desktop computer, a smartphone, a tablet, a smart-watch, or otherelectronic device and/or portable device and/or non-portable device.

End-user device 110 may comprise, for example, a processor 111 toexecute code or programs or instructions; a memory unit 112 totemporarily store data (e.g., RAM, Flash memory); a storage unit 113 tostore data long-term (e.g., Hard Disk Drive (HDD), Solid State Drive(SSD), Flash memory); one or more input units 114 (e.g., touch-screen,physical keyboard, physical keypad, on-screen keyboard, on-screenkeypad, computer mouse, trackball, joystick, touch-pad, stylus, pointingdevice, acoustic microphone); one or more output units 115 (e.g.,screen, touch-screen, multi-touch screen, display unit, audio speakers);an Operating System (OS) 116; one or more applications 117; a Wi-Fitransceiver 118; optionally, a cellular transceiver 119; optionally, aBluetooth transceiver 120; a power source 121 (e.g., internal battery,external battery, rechargeable battery, connection to an electric poweroutlet or socket); one or more accelerometers 122; one or moregyroscopes 123; one or more compass units 124; a Global PositioningSystem (GPS) unit 125; one or more other sensors, such as location-basedsensors, location-detecting sensors, spatial orientation sensors ordetectors, device slanting sensors or detectors, or the like; or and/orother suitable units or modules.

As non-limiting examples, server 150 may be a web-server or anapplication-server of a banking system, a brokerage system, a systemthat provides loans or mortgages or credit or other financial services,a retailer or e-commerce seller, a dating or match-making website, asocial network, or the like.

Server 150 may be implemented by using similar components to those ofend-user device 110, for example, processor, storage unit, input unit,output unit, transceivers, and so forth.

A user interactions tracker 131 may monitor and/or track all the userinteractions and/or gestures that are performed by the user via one ormore input-unit(s) of the end-user device. It may be implemented as aclient-side (end-user side) module or unit, and/or as a server-sidemodule or unit. For example, it may be implemented as or usingJavaScript code and/or CSS code and/or HTML5 code, which may be includedin or embedded in or called from one or more HTML page(s) that areserved by server 150 to a Web-browser of end-user device 110; or, it maybe implemented as integral part of, or as an extension or add-on orplug-in to, a web-browser running on end-user device 110; or, it may beimplemented as part of the native code or the native programminglanguage of an application or “app” that runs on end-user device 110(e.g., implemented as integral or internal part of the native programcode of a banking “app” or mobile application).

The tracked user-interactions data and/or the tracked input-unit(s)interactions data, may be logged or stored locally within device 110,and/or remotely in server 150; in conjunction with time/date stamps, andoptionally in conjunction with contextual data indicating in whichcontext they were measured or sensed or monitored (e.g., movement of theon-screen pointer 75 pixels sideways via the mouse-unit was monitored ata particular time/date stamp, and contextually in the web-page or formof “Perform a Wire Transfer”, and more particularly in the context ofmoving the on-screen pointer from the field of “First Name ofBeneficiary” to the field of “Last Name of Beneficiary”).

A device properties tracker 132 may monitor and/or track particularfeatures and/or properties of the end-user device 110, and/or of aparticular unit of device 110; for example, readings or measurements ordata sensed by accelerometer(s) 122, by gyroscope(s) 123, by compassunit(s) 124, by GPS unit 125, by device spatial-orientation sensor(s),and/or by other sensors of device 110.

The tracked device properties may be logged or stored locally withindevice 110, and/or remotely in server 150; in conjunction with time/datestamps, and optionally in conjunction with contextual data as detectedand tracked by a Context Tracker 134 which indicate in which contextthey were measured or sensed or monitored (e.g., spatial rotation of theentire device 110 by 45 degrees towards the ground was monitored at aparticular time/date stamp, and contextually while the user was viewingthe web-page of “apply for a new credit card”, and more particularlywhile the user was scrolling-down through a list of options in adrop-down list of answers to the question “What is your age range”).

The monitored user-interactions data, and/or the monitored deviceproperties data, may be analyzed by a User Interactions/DeviceProperties Analyzer Module 133; which may be implemented locally withindevice 110 and/or remotely in server 150; and which may perform orexecute one or more of the methods described herein.

In a first set of embodiments, the input-unit interactions and/or thedevice properties, that are monitored and logged in a particular bankaccount (of user Bob from the above example), are analyzed by the UserInteractions/Device Properties Analyzer Module 133 in view of apre-defined pattern or playbook that is pre-defined in the system asindicative to the bank account being a Mule (or fraudulent, or moneylaundering) bank account. For example, a Mule Account Playbook Database161 may store digital representations of such playbooks, and the actualuser interactions/device properties that were monitored and logged inBob's bank account may be compared or matched to each playbook in theMule Account Playbook Database 161 by a Playbook-Based Mule AccountDetector 162. If the actual user interactions/device properties thatwere monitored and logged in Bob's bank account, are identical orsimilar or sufficiently similar (e.g., beyond a pre-defined thresholdlevel of similarity) to at least one pre-defined mule account playbookstored in the Mule Account Playbook Database 161, then thePlaybook-Based Mule Account Detector 162 generates a notification thatthe monitored bank account (Bob's account) is estimated or is determinedto be a mule bank account, and a fraud mitigation module is triggered toperform fraud mitigation operations.

Each “mule playbook” in the Mule Account Playbook Database 161 maycomprise a set of one or more indicators. For example, a first “muleplaybook” may store data indicating that the bank account is never usedfor ATM withdrawals, is never used for cash withdrawals at the bankteller, is never used for check writing, and is often or always orexclusively used for transferring-out money immediately via wiretransfer after (or, within N days after) receiving money through a wiretransfer.

A second “mule playbook” may store data indicating that the bank accountis used exclusively to receive wire transfers from K or more bankaccounts (e.g., of victims) in a first country (e.g., the United States)and to perform wire transfers of at least 90 percent of the availablefunds each time to one single bank account (e.g., the Real Destinationbank account) in a second country (e.g., Russia) within N days ofreceiving each incoming wire transfer.

A third “mule playbook” may comprise one of the above two sets of data,plus an indication that the transactions for wiring-out the funds areperformed by using keyboard in a manner that suggests or that indicatesthat the user is not used to type the personal details of the owner ofthe account (e.g., segmented typing or non-fluid typing of the logincredentials, rather than fluid typing or fluid typing) and/or by usingparticular input-unit interactions that are pre-defined in the playbook(e.g., moving between fields using the TAB key and not using the mouse).

A fourth “mule playbook” may comprise one of the first or second sets ofdata, plus an indication that the user's operations within the monitoredbank account follow a particular intra-website or intra-applicationpattern or sequence or order; for example, logging in to the bankaccount, then (within T1 seconds) checking the status of incoming wiretransfers, then (within T2 seconds) checking the current availablebalance, then (within T3) seconds initiating a wire transfer of at leastK percent of the available balance to a destination bank account that islocated in a different country from the country of the monitored bankaccount; together with an indication that all the operations in themonitored account are always performed via a laptop computer and not byvia a smartphone and not via a tablet (e.g., since most hackers orcyber-attackers utilize a laptop computer or a desktop computer toperform fraudulent operations, rather than smartphones or tablets thatare often utilized by legitimate bank customers).

The Playbook-Based Mule Account Detector 162 may optionally utilize aSufficient Similarity Estimator 163, to determine whether monitoredinteractions are sufficiently similar to those indicated in a particularMule Playbook. For example, a set of monitored interactions oroperations in a particular bank account, may match 90 percent, but notthe entire 100 percent, of the data described in a particular MulePlaybook. The Sufficient Similarity Estimator 163 is configured to checkthis similarity level against a pre-defined threshold value ofsimilarity, such as 85 percent; and since 90>85 the SufficientSimilarity Estimator 163 declares that there is sufficient similarity,and the Playbook-Based Mule Account Detector 162 generates a MuleAccount notification.

Optionally, the threshold value, or range-of-values, that are utilizedby the Sufficient Similarity Estimator 163, may be adjusted or modifiedor set, optionally dynamically by the system and/or autonomously by thesystem, in order to achieve a particular level of detections; forexample, a threshold level of similarity of 70 percent, may yieldresults of 16 suspicious bank accounts out of 100 monitored bankaccounts; the threshold level of similarity may be adjusted or modifiedfrom 70 percent to 82 percent, to thereby yield only 2 bank accounts outof the 100 monitored bank accounts, or in order to yield, generally orin average, up to K percent of monitored bank accounts that requiredadditional scrutiny or that trigger a Mule Account notification.

In a second set of embodiments, a Mule Account Profile Builder unit 164analyzes all the monitored and logged data for each bank account that isalready known to be a mule bank account, and deduces or generates one ormore parameters, conditions and/or formulas that enable the system toidentify other bank accounts as Mule accounts. For example, a particularbank has one million bank accounts of one million customers. The frauddepartment of that bank had positively identified 50 particularaccounts, as accounts that have been used as Mule bank accounts; forexample, based on manual review of those accounts, based on police orlaw enforcement information that indicated bank accounts of criminals orof cyber-attackers, based on data from anti-money-launderingauthorities, or the like. The fraud department manually flags those 50particular bank accounts as Known mule bank accounts.

Then, the Mule Account Profile Builder unit 164 processes all the datathat was monitored and logged for the utilization of each one of those50 known mule accounts; for example, processing and analyzing theinput-unit interactions, the mouse-gestures, the keyboard-utilizationbehavior, the spatial properties of the devices used, the sequence ororder of operations performed, and/or other data or meta-data of eachone of these Known mule accounts. The Mule Account Profile Builder unit164 searches and finds, for example, one or more characteristics thatuniquely characterize all the Known mule accounts, or at least N percent(e.g., at least 75 percent) of all the Known mule bank accounts; andoptionally, that do Not characterize, or are not detected, in a set ofat least P other, non-mule, bank accounts (e.g., bank accounts that arepre-flagged in the system as bank accounts of legitimate users).

For example, the Mule Account Profile Builder unit 164 may analyze theinput-unit interactions and/or the device properties and/or theoperations and transactions, of each one of the Known mule accounts, andmay detect that at least N percent of the Known mule accounts exhibitthe following characteristics: (a) the user utilized the TAB key and notthe computer-mouse and not the touch-pad to move from the BeneficiaryName field to the Beneficiary Address field; and also (b) the usersubmitted the “perform wire transfer” form or request by pressing theEnter key on the keyboard, and not by clicking or tapping on the Submitbutton on the screen; and also (c) the user completed the filling-out ofthe “wire transfer” form within S seconds (e.g., within 45 seconds); andalso (d) the user moved the mouse-pointer on the screen, whilefilling-in the entire “wire transfer” form, for no more than P pixels intotal (e.g., not more than 2,400 pixels in total for the entire form).

The Mule Account Profile Builder unit 164 may actively check that in a“control group”, of at least N bank accounts that are Known (orpre-flagged) as Non-Mule accounts (e.g., a control group of 100 or 500or 1,600 such Known Non-Mule accounts), at least 90 percent (or at leastM percent) of such known non-mule accounts are accounts that do Notexhibit these four characteristics in the aggregate. Accordingly, theMule Account Profile Builder unit 164 determines that these fourcharacteristics are indicative of a Mule bank account, and stores datathat represents this set of four characteristics in a Mule AccountCharacteristics Table 165.

The Mule Account Characteristics Table 165 is populated by such sets ofcharacteristics; and a Characteristics-Based Mule Account Detector 166later compares the interactions and monitored data of a particular bankaccount (that is not yet known to be mule or non-mule), and toautomatically check whether the investigated account exhibits orincludes at least one set of characteristics that are stored in the MuleAccount Characteristics Table 165. If a monitored bank account isobserved to indeed exhibit at least one set of characteristics that isstored in the Mule Account Characteristics Table 165, then theCharacteristics-Based Mule Account Detector 166 flags that monitoredbank account as a Mule Account, and/or triggers a notification that suchaccount is a Mule account or requires additional review or scrutiny,and/or triggers a fraud mitigation module to operate with regard to thisparticular account.

In some embodiments, the Mule Account Profile Builder unit 164 need notnecessarily generate a set of characteristics or parameters; but rather,may generate a Score Formula that produces a particular range of valueswhen it operates on Known Mule accounts, yet produces a different rangeof values when it operates on Known Non-Mule accounts. For example, theMule Account Profile Builder unit 164 may generate a formula that: takesthe number of mouse-clicks performed on average in a usage session(log-in to log-off) in an account (denoted M), multiplies it by thetotal number of seconds that was spent on the page of “wire transfer”(accessing the page, until leaving the page; denoted T), divides it bythe total number of times that the TAB key was pressed in the “wiretransfer” page (denoted B), multiplies it by the number of keycombinations (or by the number of “keyboard shortcuts”) that wereperformed in the “wire transfer” page (denoted C), multiplies it by thetotal number of pixels that the on-screen-pointer was dragged on screenduring the “wire transfer” page visit (denoted P), and divides it by1.75 if the end-user device is identified to be running Linux or Unixoperating system; such that, for example, the Score Formula is (M T CP/B) and optionally further divided by 1.75 if Linux or Unix isdetected.

The Mule Account Profile Builder unit 164 may run this demonstrativeformula, or other formula, on each account in the group of 50pre-flagged accounts that are Known to be Mule accounts; and observesthat in each one of these Known mule accounts, the Score Formulagenerates a score in the range of 45 to 82. Then, Mule Account ProfileBuilder unit 164 may run this demonstrative formula, or other formula,on each account in a “control group” of 50 or 600 pre-flagged accountsthat are Known to be Non-Mule accounts; and observes that in each one ofthese Known Non-Mule accounts, the Score Formula generates a score inthe range of 740 to 935. Accordingly, the Mule Account Profile Builderunit 164 defines a rule that if a bank account, that is Not alreadyknown to be mule or non-mule, is monitored and logged, and itsinteractions generate a score in the range of 45 to 82 (or, generate ascore that is smaller than 83, or that is smaller than 100), then suchaccount is estimated to be a Mule account, and a notification isgenerated accordingly, and a fraud mitigation module is triggered tooperate with regard to such account.

Accordingly, the identification of a Mule bank account, in accordancewith some embodiments of the present invention, need not be based ondiscrete parameters or discrete conditions that are compared one-by-oneacross accounts; but rather, may be based on a complex formula thatreceives as input a set of numerical values that describe variousaspects of the user interactions with the account, and that generate asoutput a single output number, that is then compared to a thresholdvalue or to a threshold range-of-values in order to classify a bankaccount as mule or non-mule.

It is noted that in some embodiments, the classification of a bankaccount may be binary; for example, bank account number 12345 maygenerate a score of 47, and may thus be classified at high level ofcertainty as a Mule bank account; whereas, bank account number 67890 maygenerate a score of 875, and may thus be classified at high level ofcertainty as a Non Mule bank account. In other embodiments, the systemmay utilize a tri-state classification, or a tertiary classification;for example, (i) an account that generated a score of 0 to 120 isclassified as Mule; (ii) an account that generated a score of 740 orabove is classified as Non-Mule; (iii) an account that generated a scorein the range of 120 to 740 is classified as “insufficient data toclassify for certain as mule or non-mule”.

In a third set of embodiments, a Cross-Account Similar-Behavior Detectormodule 167 operates to analyze and/or compare the user interactionsand/or the device properties, between (i) a first account which isactually the Victim account, and (ii) a second account which is actuallythe Mule account; or, between (I) a first account which is the Victimaccount, and (II) a second account which is the Real Destinationaccount; or, between (a) a first account which is actually the Muleaccount, and (b) a second account which is the Real Destination account;or, among three accounts which are (A) the Victim account, (B) the Muleaccount, (C) the Real Destination account. The Cross-AccountSimilar-Behavior Detector module 167 may detect identical of similar tosufficiently-similar characteristics, to the user interactions and/ordevice properties and/or the operations or transactions, in theabove-mentioned pairs or triplets of accounts; and may thus estimate ordetermine that one of the accounts is a Mule account (or, is a Victimaccount; or, is a Read Destination account).

In some embodiments, the above-mentioned comparison(s) may be performed,for example, if the both of the two accounts that are being monitored orcompared (or, if all three accounts) are with the same bank, or are partof the same banking system, or utilize the same “app” or website orinterface; such that they system administrator, or a trusted third-partyon its behalf, may collect, monitor, log and track the user-interactionsand the device properties for each one of the accounts, and may comparethem to each other to establish the determination of sufficientsimilarity. In other embodiments, the above-mentioned comparison(s) maybe performed even if the compared bank accounts are at different banksand are accessed through different “apps” or different web-sites; forexample, if the two (or three) banks or banking systems that areinvolved, utilize the same plug-in or extension or add-on or third-partysecurity provider that monitors interactions with bank accounts ofmultiple banks, and is thus able to notify Bank 1 that a particularaccount in Bank 1 is estimated to be a Mule account that received moneyfrom a particular (victim) account in Bank 2 and that transferred-outfunds to a particular (real destination) account in Bank 3, even thoughthe three accounts are scattered across three different bankinginstitutions.

In a first example, victim Victor has account number 111 with Bank A,and attacker Mallory controls a Mule account number 222 with Bank B.Each bank utilizes a browser (or app) having a plug-in or extension oradd-on that monitors user interactions and sends them for analysis atthe same trusted third party (cyber-security analysis entity). TheCross-Account Similar-Behavior Detector module 167 analyzes the userinteractions and device properties in Account 111 and in Account 222,and finds them to be sufficiently similar to each other (e.g., beyond apre-defined level of similarity). For example, the Cross-AccountSimilar-Behavior Detector module 167 detects that in each one of thesetwo bank accounts (victim account 111; mule account 222), the followinghold true: (a) the “wire transfer” page was filled-out and submittedwithin T seconds (e.g., within 45 seconds or less); and (b) the “wiretransfer” page was submitted by a pressing of the Enter key and not byclicking or tapping the Submit on-screen button; and (c) at least Kpercent (e.g., at least 80 percent) of the fields in the “wire transfer”page or form, were filled-out by segmented manual typing and not byfluid manual typing; and (d) the total number of pixels that theon-screen-pointer was dragged in the “wire transfer” page is less than Ppixels (e.g., less than 1,800 pixels in total). Optionally, theCross-Account Similar-Behavior Detector module 167 may also detect thatthis particular set of characteristics, is sufficiently unique in thegeneral population of bank accounts, or is sufficiently unique in a“control group” of bank accounts that are known to be neither Muleaccounts nor Victim accounts, beyond a pre-defined threshold level ofsufficiency (e.g., in a control group of 500 bank accounts that areknown to be non-mule and non-victim accounts, less than 0.5 percent ofthe accounts exhibit this particular set of characteristics). TheCross-Account Similar-Behavior Detector module 167 further takes intoaccount that not only do Account 111 and Account 222 exhibit the sameset of these four characteristics, that the general population and/or acontrol group of accounts does Not exhibit; but also, importantly,Account 111 and Account 222 are related to each other because a wiretransfer of funds was performed from Account 111 to Account 222 (andoptionally, that later wire transfer of at least K percent of thosefunds was performed from Account 222 to Account 333). Therefore, theCross-Account Similar-Behavior Detector module 167 determines thatAccount 111 and Account 222 were actually controlled or utilized by thesame person; and since they are formally owned by two different persons(e.g., victim Victor, and mule-account owner Bob or Mallory), therecipient bank account 222 is estimated to be a Mule account; and a Muleaccount notification is generated with regard to Account 222, and/or afraud mitigation module is triggered to operate with regard to Account222 and/or with regard to Account 111.

In a second example, victim Victor has account number 111 with Bank A,and attacker Mallory controls a Mule account number 222 with Bank B, andalso controls a Real Destination account 333 with Bank C. Each bankutilizes a browser (or app) having a plug-in or extension or add-on thatmonitors user interactions and sends them for analysis at the sametrusted third party (cyber-security analysis entity). The Cross-AccountSimilar-Behavior Detector module 167 analyzes the user interactions anddevice properties in Account 222 and in Account 333, and finds them tobe sufficiently similar to each other (e.g., beyond a pre-defined levelof similarity). For example, the Cross-Account Similar-Behavior Detectormodule 167 detects that in each one of these two bank accounts (muleaccount 222; real destination account 333), the following hold true: (a)the “wire transfer” page was filled-out and submitted within T seconds(e.g., within 60 seconds or less); and (b) at least K percent (e.g., atleast 85 percent) of the fields in the “wire transfer” page or form,were filled-out by using copy-and-paste operations and not by manualtyping of character-by-character data entry; and (c) the “wire transfer”page or form was accessed by, or was operated by, a user that utilized atouch-screen of an iPad tablet (and not by smartphone, and not by laptopcomputer, and not by desktop computer); and (d) when the user pressedthe “submit” button, he also at the same time rotated the tablet byapproximately 20 to 30 degrees counter-clockwise; and (e) when the userutilized the touch-screen to scroll-down in the “wire transfer” page orform, the user also slanted the tablet by approximately 40 to 50 degreesrelative to the ground. Optionally, the Cross-Account Similar-BehaviorDetector module 167 may also detect that this particular set ofcharacteristics, is sufficiently unique in the general population ofbank accounts, or is sufficiently unique in a “control group” of bankaccounts that are known to be neither Mule accounts nor Real Destinationaccounts, beyond a pre-defined threshold level of sufficiency (e.g., ina control group of 600 bank accounts that are known to be non-mule andnon-real-destination accounts, less than 0.7 percent of the accountsexhibit this particular set of characteristics). The Cross-AccountSimilar-Behavior Detector module 167 further takes into account that notonly do Account 222 and Account 333 exhibit the same set of these fivecharacteristics, that the general population and/or a control group ofaccounts does Not exhibit; but also, importantly, Account 222 andAccount 333 are related to each other because a wire transfer of fundswas performed from Account 222 to Account 333 (and optionally, that theoutgoing wire transfer from Account 222 was in an amount of at least Kpercent of the funds that were received via an incoming wire transferthat arrived into Account 222 during the N days prior to the outgoingtransfer). Therefore, the Cross-Account Similar-Behavior Detector module167 determines that Account 222 and Account 333 were actually controlledor utilized by the same person; and since they are formally owned by twodifferent persons (e.g., user Bob and user Carl), the transferring bankaccount 222 is estimated to be a Mule account; and a Mule accountnotification is generated with regard to Account 222, and/or a fraudmitigation module is triggered to operate with regard to Account 222and/or with regard to Account 333 (the final recipient of the funds)and/or with regard to Account 111 (the original source of the funds).

In a third example, victim Victor has account number 111 with Bank A,and attacker Mallory controls a Mule account number 222 with Bank B, andalso controls a Real Destination account 333 with Bank C. Each bankutilizes a browser (or app) having a plug-in or extension or add-on thatmonitors user interactions and sends them for analysis at the sametrusted third party (cyber-security analysis entity). The Cross-AccountSimilar-Behavior Detector module 167 analyzes the user interactions anddevice properties in Account 111 and in Account 333, and finds them tobe sufficiently similar to each other (e.g., beyond a pre-defined levelof similarity). For example, the Cross-Account Similar-Behavior Detectormodule 167 detects that in each one of these two bank accounts (victimaccount 111; final destination account 333), the following hold true:(a) the “wire transfer” page was filled-out and submitted within Tseconds (e.g., within 55 seconds or less); and (b) at least K percent(e.g., at least 95 percent) of the fields in the “wire transfer” page orform, were filled-out by using copy-and-paste operations and not bymanual typing of character-by-character data entry; and (c) the “wiretransfer” page or form was accessed by, or was operated by, a user thatutilized a touch-screen of an iPad tablet (and not by smartphone, andnot by laptop computer, and not by desktop computer); and (d) when theuser pressed the “submit” button, he also at the same time rotated thetablet by 15 to 25 degrees clockwise; and (e) when the user utilized thetouch-screen to scroll-up in the “wire transfer” page or form, the useralso slanted the tablet by approximately 30 to 35 degrees relative tothe ground and away from the user. Optionally, the Cross-AccountSimilar-Behavior Detector module 167 may also detect that thisparticular set of characteristics, is sufficiently unique in the generalpopulation of bank accounts, or is sufficiently unique in a “controlgroup” of bank accounts that are known to be neither Mule accounts norReal Destination accounts, beyond a pre-defined threshold level ofsufficiency (e.g., in a control group of 800 bank accounts that areknown to be non-mule and non-real-destination accounts, less than 1percent of the accounts exhibit this particular set of characteristics).The Cross-Account Similar-Behavior Detector module 167 further takesinto account that not only do Account 111 and Account 333 exhibit thesame set of these five characteristics, that the general populationand/or a control group of accounts does Not exhibit; but also,importantly, Account 111 and Account 333 are detected by the system tobe indirectly related to each other, because each one of them eithersent money via wire transfer to Account 222 or receive money via wiretransfer from Account 222 (and optionally, that the two wire transferamounts are in the range of 0.80 to 1.20 of each other, or are withinanother pre-defined threshold range. Therefore, the Cross-AccountSimilar-Behavior Detector module 167 determines that Account 111 andAccount 333 were actually controlled or utilized by the same person; andsince they are formally owned by two different persons (e.g., victimVictor, and attacker Mallory), the recipient bank account 333 isestimated to be a Real Destination account; and a Mule accountnotification is generated with regard to Account 333, and/or a fraudmitigation module is triggered to operate with regard to Account 222and/or with regard to Account 333 (the final recipient of the funds)and/or with regard to Account 111 (the original source of the funds).

In a fourth example, the above-mentioned set of four or fivecharacteristics, or another set of characteristics, is detected acrossall Three accounts, namely, are detected in the usage session that theattacker performed in Account 111, and are also detected in one or moreusage sessions in Account 222, and are also detected in one or moreusage sessions in Account 333; thereby triggering the Cross-AccountSimilar-Behavior Detector module 167 to generate a notification thatthese three accounts are actually a victim account, a mule account, anda real destination account, respectively, and to trigger the operationof a fraud mitigation module.

It is noted that for demonstrative purposes, the first account in theabove examples, or in other examples mentioned herein, is referred to asa “victim” account; however, the first account need not necessarily beof a victim, but rather, may be owned or controlled by a criminal or anattacker or by a person that attempts to perform tax evasion or moneylaundering. For example, Account 111 may be a USA bank account that isowned by user David, who receives income into the account by providingprogramming services to clients; the income is then channeled ortransferred by David himself, from his own bank account 111 in the USA,to a “mule” bank account 222 that is owned by his sister Sarah in adifferent bank and in a different country (e.g., Russia); the transferis reported as “business expense” in the USA, and is reported as“investment” in Russia, in order to evade taxes or to perform moneylaundering; and the funds are then transferred, for example, by Davidhimself who logs-in into Sarah's account number 222, from account 222 toa third “real destination” account 333. The system of the presentinvention may detect this type of scenarios, in which the originatingbank account is not necessarily a “victim” account, but rather, is ownedor is controlled at all times by the “fraudster” or criminal himself.

The present invention may similarly be able to detect that a bankaccount is utilized for terror funding, or for funding of terroristactivity. For example, a set of bank accounts that are known to havebeen utilized for terror funding (e.g., 20 or 50 such accounts) areautomatically analyzed by the modules and units of the presentinvention, and particularly by the modules that analyze the behavioralcharacteristics and the user-interactions characteristics in those bankaccounts; and a pattern is extracted from that analysis, or abehavioral/transactional score is generated based on that analysis.Then, the system of the present invention may analyze the behavior andthe transactions in another bank account, in order to determine whetherthe behavior and the transactions in that other account are sufficientlysimilar (e.g., beyond a pre-defined threshold value of similarity) tothe pattern or characteristics that were identified from the 20 or 50bank accounts that are already known as terror funding accounts (e.g.,accounts utilized by captured terrorists); and if the similarity issufficient, then the system may generate a notification that the otherbank account is estimated or is determined to be, similarly, a terrorfunding bank account.

The present invention may similarly be used to detect banking fraud in ascenario that involves only a single bank account, or only two bankaccounts (and not necessarily three bank accounts). For example, an“open banking” channel is utilized by some banks and/or by someretailers, enabling a user to initiate from the retailer's website apayment from the bank account of the user to the bank account of theretailer. The present invention may be configured to characterize theuser interactions, the user behavior and the transaction properties insuch “open banking” transactions that turned out to be fraudulent, orthat are known to be fraudulent; may deduce or extract abehavioral/transactional profile or pattern for such “open banking”fraud; and may detect that another bank account is utilized to perform“open banking” fraud based on a detection that sufficiently similar userbehavior and/or user interactions and/or transactions are observed inthat other bank account.

In some embodiments, the system may utilize an Excessive OperationsDetector module 168, to detect that a particular bank account exhibitsan excessive number of baking operations in general, or of a particulartype of banking operations (e.g., wire transfers; incoming wiretransfers; outgoing wire transfers), within a pre-defined time-period(e.g., within a day, or a week, or a month, or within the most-recent 10days, or the like). For example, the Excessive Operations Detectormodule 168 may detect that in Account 222, there are 13 incoming wiretransfers within a period of 4 days, followed immediately (e.g., withinH hours of the last incoming transfer) by a single outgoing wiretransfer of at least K percent of the total incoming funds (e.g., atleast 95 percent of the incoming funds); and optionally, that all theincoming wire transfers (or at least N percent of them) are from bankaccounts located in a first country (e.g., the USA), while the singleoutgoing wire transfer is (in some embodiments) to a bank accountlocated in a second country (e.g., Russia). The Excessive OperationsDetector module 168 may compare the number of incoming transfers (13transfers within 4 days) to a pre-defined threshold value (e.g., 2incoming transfers per day; equivalent to 8 transfers in 4 days), andmay thus determine that there is detected an Excessive number ofincoming wire transfers in Account 222, thereby triggering a Muleaccount flagging and notification for Account 222.

Additionally or alternatively, a Mule-Type Operations Detector module169 compares the above-mentioned operations to a set of pre-definedconditions or threshold values, and determines that Account 222 is aMule account based on such comparisons; for example, in view of theabove-mentioned insights, that all the incoming wire transfersoriginated from the same country and were then followed by atransfer-out of at least K percent of the funds to a destination bankaccount in a different country); and may similarly flag the Account 222as a mule account, and may trigger fraud prevention operations.

In some embodiments, a Suspicious Beneficiary Account Detector 170 maysimilarly operate to identify Account 222 and/or Account 333, as anaccount that is utilized for money laundering and/or tax evasion and/orfraudulent activity. For example, the Suspicious Beneficiary AccountDetector 170 may compare the number of transactions, the type oftransactions, and/or the amounts of transactions, that are performed inAccount 222 (or, in Account 333), as a beneficiary account that receivedincoming wire transfer(s), to the characteristics of similar beneficiaryaccounts in the general population or in a “control group” of known bankaccounts, or to threshold values that were established by the system byanalysis of operations in such control group or general population ofbank accounts. For example, the system may analyze the operationsperformed in a control group of 5,000 checking accounts, that receivedbetween 5 to 8 incoming wire transfers within a total period of 6months; and may detect that in 99 percent of these 5,000 bank accounts,(I) not more than 75 percent of the incoming funds were alsotransferred-out within 14 days of the most-recent incoming transfer, andalso (II) the outgoing wire transfer was performed via a non-Linuxend-user device, and also (III) the outgoing wire transfer has taken atleast T seconds to be entered (e.g., at least 180 seconds), and also(IV) in the outgoing wire transfer form, at least N percent of thefields (e.g., at least 80 percent of the fields) were filled-out bymanual typing of character-by-character typing operations (e.g., and notby copy-and-paste operations). The system may thus generate a rule, or aset of rules, indicating that if a bank account has between 5 to 8incoming wire transfers within 6 months, and the bank account does Notexhibit this set of four characteristics, then the bank account isdetected as an account involved in fraudulent activity, and a fraudnotification is generated, and fraud mitigation operations are executed.

Additionally or alternatively, in some embodiments, the SuspiciousBeneficiary Account Detector 170 may compare the data exhibited in aparticular usage session (or, the data exhibited while a particulartransaction is entered by the user), to previous/past/historic usagesessions in that same bank account, in order to detect that the bankaccount is utilized for fraudulent activity during the particular usagesession (or transaction) that is investigated or monitored. For example,user Alice is a graphic designer who owns bank account number 444, inwhich she receives between 6 to 10 incoming wire transfers every month,from her various clients, each incoming wire transfer in the range of750 to 1,800 dollars. The Suspicious Beneficiary Account Detector 170detects that in past usage sessions in the Alice bank account number444, the user had always performed a transfer-out of not more than 1,200dollars, to a particular beneficiary (e.g., a sub-contractor of Alice),not more than once per month. The Suspicious Beneficiary AccountDetector 170 also observes that in past usage sessions in the Alice bankaccount number 444, the user had always utilized an Android smartphoneto check her balance, and has never utilized an Apple device to checkher balance. The Suspicious Beneficiary Account Detector 170 alsoobserves that in past usage sessions in the Alice bank account number444, the user had always checked the balance in her Savings account,before performing a transfer-out operation from her Checking account tothe beneficiary. Then, when attacker Mallory logs-in to Alice's bankaccount number 444, using stolen credentials, the Suspicious BeneficiaryAccount Detector 170 detects that in this usage session, (I) the usertransferred-out 4,500 dollars (and not an amount within the previousmaximum of 1,200 dollars), and also (II) the user utilized an AppleMacBook to perform the wire-out transaction (and not the Androidsmartphone as in previous usage sessions), and also (III) the user didnot check her Savings account balance prior to commanding the wire-outfrom the Checking account. Therefore, the Suspicious Beneficiary AccountDetector 170 determines that in this particular usage session, in whichthe transfer-out transaction was commanded, the account number 444 wasnot controlled by the legitimate user Alice, but rather wasmost-probably controlled by a cyber-attacker; and may thus generate afraud notification, and/or may trigger fraud mitigation operations.

Some embodiments may utilize a Remote Access Detector module 171, todetect that a particular bank account is or was being controlled by auser that utilizes a Remote Access tool to remotely-access aremotely-located computer which in turn performed the access to the bankaccount. For example, cyber-attacker Mallory is physically located in afirst country (e.g., China), and utilizes a laptop computer having aRemote Access tool, to take-over a desktop computer of victim Victor whois located in another country (e.g., the United States), and to log-into the victim's bank account (e.g., at a United States bankingplatform), and to perform a wire transfer from the victim's bank accountto a bank account of user Bob (e.g., which is actually a mule bankaccount). The system may detect that the bank account of victim Victor,particularly during the usage session in which the wire transferred wascommanded, was controlled by a remotely-located attacker who took-overthe victim's computer; for example, for example, based on lags or delaysor latency that are detected in the communication channel, and/or byusing one or more methods or modules that are described in U.S. Pat. No.9,838,373, which is hereby incorporated by reference in its entirety.Based on such detection, and by detecting that a wire transfer wasperformed during the Remote Access usage session from theremotely-controlled bank account to the recipient account, aRemote-Access-Based Mule-Account Detector module 172 determines that thebank account of the recipient (Bob in this example) is actually a Mulebank account, and generates a mule account notification with regard tothat bank account, and triggers a fraud mitigation process.

Some embodiments may utilize a Virtual Machine Detector module 173, todetect that a particular bank account is or was being controlled by auser that utilizes a Virtual Machine (VM) that is spawned and/orgenerated and/or controlled and/or run through a Virtual Machine Monitor(VMM), to access a bank account. For example, cyber-attacker Mallory isphysically operating a laptop computer that runs Linux operating system,and utilizes a VMM that creates a Virtual Machine of Windows 10operating system; and through the Windows Virtual Machine, the attackeraccesses the bank account of victim Victor (e.g., by entering his stolencredentials), and to perform a wire transfer from the victim's bankaccount to a bank account of user Bob (e.g., which is actually a mulebank account). The system may detect that the bank account of victimVictor, particularly during the usage session in which the wiretransferred was commanded, was controlled or accessed via a VirtualMachine (VM) or other virtualized environment, for example, for example,based on lags or delays or latency that are detected in thecommunication channel, and/or by using one or more other methods ormodules that are described in U.S. Pat. No. 9,483,292 which is herebyincorporated by reference in its entirety. Based on such detection, andby detecting that a wire transfer was performed during the VirtualMachine usage session (or during the Virtualized usage session) from afirst bank account to a recipient account, a Virtual Machine BasedMule-Account Detector module 174 determines that the bank account of therecipient (Bob in this example) is actually a Mule bank account, andgenerates a mule account notification with regard to that bank account,and triggers a fraud mitigation process.

Some embodiments may utilize an IP Spoofing/Proxy Server Detector module175, to detect that a particular bank account is or was being controlledby a user that utilizes IP spoofing or IP address spoofing; namely,creation of Internet Protocol (IP) packets having a false source IPaddress, for hiding the identity of the accessing user and/or forimpersonating another user or another source, such as by utilizing aProxy Server. For example, cyber-attacker Mallory is physically locatedin a first country (e.g., Ukraine), and utilizes a laptop computer toaccess a Virtual Private Network (VPN) and/or a proxy server that is/arelocated in (or hosted in, or served from) a second country (e.g., theUnited States), and to access through the VPN/through the proxy serveran online account of victim Victor who is located in the second country(e.g., the United States), and to log-in to the victim's bank account(e.g., at a United States banking platform), and to perform a wiretransfer from the victim's bank account to a bank account of user Bob(e.g., which is actually a mule bank account). The system may detectthat the bank account of victim Victor, particularly during the usagesession in which the wire transferred was commanded, was controlled byan end-user device that performed IP address spoofing, for example,based on lags or delays or latency that are detected in thecommunication channel (e.g., the spoofed IP address is a nearby IPaddress in the same country as the bank server computer, but a Ping timeindicates a far-away end-user-device in a far country), and/or by usinga Bogon Filtering mechanism (e.g., detecting a bogus/fake IP addressthat is not in any range allocated by the Internet Assigned NumbersAuthority (IANA) or by a delegated Regional Internet Registry (RIR) forpublic Internet use), and/or by using a Martian Packet detectionmechanism, and/or by detecting a substantial change of at least Kpercent between the Time-To-Live (TTL) of a first IP packet and the TTLof a second IP packet that are incoming from the same end-user device.Based on such detection, and by detecting that a wire transfer wasperformed during the Remote Access usage session from theremotely-controlled bank account to the recipient account, anIP-Spoofing-Based Mule-Account Detector module 176 determines that thebank account of the recipient (Bob in this example) is actually a Mulebank account, and generates a mule account notification with regard tothat bank account, and triggers a fraud mitigation process.

Some embodiments may utilize a Mule Account/Money Laundering AccountDetector module 177, which may operate by taking into account one ormore parameters or conditions or detected observations, for example, oneor more of the following: (1) detecting of an access to a bank accountvia a Remote Access tool that allows a first user to utilize a firstcomputer in order to remotely control a second computer from which theaccess to the bank server is performed; (2) detecting that the bankaccount is accessed via a Virtual Machine (VM) or other virtualizedplatform; (3) detecting that the bank account is accessed via a proxyserver and/or via a VPN; (4) detecting that the bank account is accessedvia a mechanism that performs, or that is estimated to be performing, IPaddress spoofing; (5) detecting input-unit gestures and/or interactionsthat are performed in the account and that do not match, or are notsufficiently similar to, a behavioral profile of the account owner asconstructed in previous/past/historical usage-sessions in that account;(6) detecting input-unit gestures and/or interactions that are performedin the account and that do not match, or are not sufficiently similarto, a typical behavioral profile of a legitimate (non-fraudulent)account owner, as constructed by analyzing interactions across multipleaccounts of multiple legitimate users in usage-sessions that aredetermined to be legitimate and non-fraudulent; (7) detecting input-unitgestures and/or interactions that are performed in the account and thatdo not match, or are not sufficiently similar to, a behavioral profileof the account owner as constructed in the most-recent previoususage-session in that account; (8) detecting input-unit gestures and/orinteractions that are performed in the account and that do not match, orare not sufficiently similar to, a behavioral profile of the accountowner as constructed based on user-provided information or accountinformation (e.g., the legitimate account-owner had indicated in a pastsurvey that she is 74 years old and is a novice in online banking,whereas the current account-user is performing advanced keyboardshortcuts and copy-and-paste operations that characterize a non-noviceuser); (9) detecting that input-unit gestures and/or interactions, thatare observed in the account from which a wire transfer is originating,is identical or is sufficiently similar to input-unit gestures and/orinteractions that are observed in the account that is the recipient ofthat wire transfer; (10) detecting that one or more suchcharacteristics, are also accompanied by a particular pre-defined TimingScheme, for example, by utilizing a Timing Scheme/Temporal RelationshipDetector module 178 which detects that the user of Account 222 onlyaccesses that account in a time-window of between 1 to 12 hours after anincoming wire transfer is received at that Account 222, and not duringany other time-slots, or that otherwise detects that access session toAccount 222 and/or that balance checking in Account 222 and/or wiretransfer operations in Account 222 are only performed during aparticular time-slot after a particular Event (or type of event) hasoccurred (e.g., incoming wire transferred was received), and/or thatotherwise determines a particular Temporal Relationship or TemporalCorrelation between accesses to Account 222 and event(s) occurring inAccount 222, or between a certain type of operations or transactions inAccount 222 and a certain type of events in that account; (11) detectingthat a single particular bank account (e.g., the account of victimVictor) is alternately utilized by two different human users who exhibittwo different patterns of behavioral characteristics (e.g., victimVictor is novice and slow-typing and uses only the mouse for fieldnavigation; attacker Mallory is an expert user who is fast-typing,utilizes keyboard shortcuts); (12) detecting that multiple bankaccounts, that are formally owned by two or more different persons, areaccessed by users that exhibit the same pattern of interactions and arethus estimated to be utilized by a single user and not by multipledifferent user (e.g., attacker Mallory is accessing the victim accountand the mule account, and exhibits the same interactions across thesetwo accounts, such as, fast typing, utilization of keyboard shortcuts;exhibiting same or similar type of corrective action to an aberration oranomaly that is injected to the input/output of the GUI; or the like);(13) detecting existence of correlation, or detecting a particular typeof correlation, or detecting a lack of correlation, between input-unitinteractions (e.g., the user taps on “submit” button on the touch-screenof a tablet) and spatial device properties (e.g., the user rotates/spinsthe devices or makes it slanted), as a tell-tale that a particular useris operating a particular bank account, or as a differentiatingbehavioral characteristic among users (e.g., enabling to detect anattacker operating in a victim's account), or as a cross-account commoncharacteristic (e.g., enabling to detect that one single person isoperating two or more different accounts), and/or by using methodsand/or modules that are described in U.S. Pat. No. 8,938,787, which ishereby incorporated by reference in its entirety, and/or by usingmethods and/or modules that are described in U.S. Pat. No. 9,071,969,which is hereby incorporated by reference in its entirety, and/or byusing methods and/or modules that are described in U.S. Pat. No.9,526,006, which is hereby incorporated by reference in its entirety;(14) generating an input/output anomaly or aberration or interference orirregular behavior (e.g., irregular or abnormal behavior of an on-screenpointer in response to input-unit interaction), and monitoring whetherand which type of corrective action is performed by the user, as atell-tale that a particular user is operating a particular bank account,or as a differentiating behavioral characteristic among users (e.g.,enabling to detect an attacker operating in a victim's account), or as across-account common characteristic (e.g., enabling to detect that onesingle person is operating two or more different accounts), and/or byusing methods and/or modules that are described in U.S. Pat. No.9,069,942, which is hereby incorporated by reference in its entirety;(15) estimating properties of a motor-control loop model or function ofa user of an online account, and utilizing it as a differentiatingcharacteristic among users (e.g., enabling to detect an attackeroperating in a victim's account), or as a cross-account common (e.g.,enabling to detect that one single person is operating two or moredifferent accounts), and/or by using methods and/or modules that aredescribed in U.S. Pat. No. 9,541,995, which is hereby incorporated byreference in its entirety.

Some embodiments may determine, detect, or estimate whether an onlinebanking account or an online financial account (e.g., at a bank or abanking institution, at a brokerage firm, at an investments brokerage,or the like), (I) is accessed by a legitimate user, or (II) is used toreceive and/or transfer money illegally and/or is utilized as a Mulebank account and/or is utilized for money laundering purposes and/or isutilized for fraudulent or fraud-related purposes.

In some embodiments, the determining comprises: (a) monitoringinteractions of the user with a computing device during online access tothe banking account; (b) based on said monitoring, determining whethersaid online banking account (I) is accessed by a legitimate user, or(II) is used to receive and/or transfer money illegally and/or isutilized as a Mule bank account and/or is utilized for money launderingpurposes and/or is utilized for fraudulent or fraud-related purposes.

For example, the method comprises: sampling or monitoring multipleinteractions of said user with a computing device during online accessto a banking account to detect whether the user is located remotely fromsaid computing device and controlling remotely said computing device viasaid remote access channel; and based on said remote access detection,determining whether said online banking account (I) is accessed by alegitimate user, or (II) is used to receive and/or transfer moneyillegally and/or is utilized as a Mule bank account and/or is utilizedfor money laundering purposes and/or is utilized for fraudulent orfraud-related purposes.

In some embodiments, the method comprises: detecting whether said user'sdevice is more-probably communicating indirectly with a trusted servervia a proxy server during online access to a banking account; and basedon said proxy detection, determining whether said online banking account(I) is accessed by a legitimate user, or (II) is used to receive and/ortransfer money illegally and/or is utilized as a Mule bank accountand/or is utilized for money laundering purposes and/or is utilized forfraudulent or fraud-related purposes.

In some embodiments, the method comprises: detecting whether said user'sdevice is more-probably communicating through a virtual machine duringonline access to a banking account; and based on said virtual machinedetection, determining whether said online banking account (I) isaccessed by a legitimate user, or (II) is used to receive and/ortransfer money illegally and/or is utilized as a Mule bank accountand/or is utilized for money laundering purposes and/or is utilized forfraudulent or fraud-related purposes.

In some embodiments, the method comprises: (i) monitoring/samplinginteractions of a user with a computing device during multiple onlineaccesses to a banking account, to create a profile of the interaction ofsaid user with an input unit; (ii) matching the said profile withinteractions of a user with a computing device during online access tosaid banking account; and based on said matching, determining whethersaid online banking account (I) is accessed by a legitimate user, or(II) is used to receive and/or transfer money illegally and/or isutilized as a Mule bank account and/or is utilized for money launderingpurposes and/or is utilized for fraudulent or fraud-related purposes.

In some embodiments, the method comprises: monitoring interactions of auser with a computing device during online access to a banking accountA, which transfers money to banking account B; and based on saidmatching, determining whether said online banking account B (I) isaccessed by a legitimate user, or (II) is used to receive and/ortransfer money illegally and/or is utilized as a Mule bank accountand/or is utilized for money laundering purposes and/or is utilized forfraudulent or fraud-related purposes.

In some embodiments, the method comprises: (i) monitoring interactionsof a user with a computing device during online access to a bankingaccount A, which transfers money to banking account B; (ii) monitoringinteractions of a user with a computing device during online access to abanking account B; (iii) matching the said user/computing deviceinteractions; and based on said matching, determining whether saidonline banking account B, (I) is accessed by a legitimate user, or (II)is used to receive and/or transfer money illegally and/or is utilized asa Mule bank account and/or is utilized for money laundering purposesand/or is utilized for fraudulent or fraud-related purposes.

In some embodiments, the method comprises: (i) monitoring the transfersto a banking account; (ii) analyzing temporal relationship between saidtransfers and the interaction of a user with said online bankingaccount; based on analysis of temporal relationship between saidtransfers and the interaction of a user with said online bankingaccount, determining whether said online banking account (I) is accessedby a legitimate user, or (II) is used to receive and/or transfer moneyillegally and/or is utilized as a Mule bank account and/or is utilizedfor money laundering purposes and/or is utilized for fraudulent orfraud-related purposes.

In some embodiments, the method comprises: (i) sampling theuser/computing device interactions during multiple online accesses to abanking account; (ii) estimating the number of users who access the saidonline banking account; and based on said estimating, determiningwhether said online banking account (I) is accessed by a legitimateuser, or (II) is used to receive and/or transfer money illegally and/oris utilized as a Mule bank account and/or is utilized for moneylaundering purposes and/or is utilized for fraudulent or fraud-relatedpurposes.

In some embodiments, the method comprises: (i) sampling theuser/computing device interactions during online accesses to multiplebanking accounts; (ii) estimating whether the said banking account isaccessed by a user which also accesses other online banking accounts;and based on said estimating, determining whether said online bankingaccount (I) is accessed by a legitimate user, or (II) is used to receiveand/or transfer money illegally and/or is utilized as a Mule bankaccount and/or is utilized for money laundering purposes and/or isutilized for fraudulent or fraud-related purposes.

For demonstrative purposes, portions of the discussion herein may relateto reaching a determination that a particular bank account is used as aMule bank account, or is connected to a Mule bank account as a Victimaccount or as a Final Destination account. However, some embodiments ofthe present invention may utilize the same or similar conditions orcriteria or parameters in order to reach a determination that aparticular bank account is utilizes for money laundering, for terrorfunding, and/or for other illegal purposes.

In some embodiments, upon estimation or determination that a bankaccount is used as a Mule bank account and/or for money launderingand/or for terror funding, the system or method may automaticallytrigger and/or initiate and/or perform one or more pre-definedoperations, for example: generate a notification or alert or alarm to asystem administrator and/or a bank representative and/or a regulatoryagency and/or a law enforcement agency; generate or place a temporary orfixed “freeze” or “hold” on the account; block or cancel or reverse oneor more transactions (e.g., wire transfer) that were performed and/orthat are pending and/or that were scheduled to be performed; require theaccount owner to perform one or more fraud mitigation steps, e.g., toperform two factor authentication, to speak telephonically with a bankrepresentative or with a fraud prevention department, to physicallyarrive to the bank and speak face-to-face to a bank representative, toprovide or upload or send particular documents that clarify or verify orconfirm the user's identity and/or the nature or purpose of suspectedtransactions or of recent transactions, and/or other suitableoperations.

The term “bank account” as used herein may include, as non-limitingexamples, an account of a human being and/or of a legal entity (e.g.,corporation, company, partnership, or the like), at a bank or at abanking institution or at other financial institution (e.g., creditunion; securities account; brokerage account; trading account; checkingaccount; savings account; or the like).

Some embodiments include a method comprising: (a) monitoringinteractions of a user with a computing device during online access witha banking account; (b) based on said monitoring, determining that saidonline banking account is utilized as a mule bank account to illegallyreceive and transfer money.

In some embodiments, the method comprises: (A) based on analysis of userinteractions with said computing device, determining that said user islocated remotely from said computing device and is controlling remotelysaid computing device via said remote access channel; (B) based ondetection of utilization of said remote access channel, determining thatsaid online banking account is used as a mule bank account to illegallyreceive and transfer money.

In some embodiments, the method comprises: (A) based on analysis ofcommunications latency in a communication channel between said computingdevice and a remote server, determining that said user is locatedremotely from said computing device and is controlling remotely saidcomputing device via said remote access channel; (B) based on detectionof utilization of said remote access channel, determining that saidonline banking account is used as a mule bank account to illegallyreceive and transfer money.

In some embodiments, the method comprises: (A) sampling multipleinteractions of said user with an input unit of said computing device;and if a frequency of said multiple interactions is below a pre-definedthreshold, then, determining that said user is located remotely fromsaid computing device and controlling remotely said computing device viaa remote access channel; (B) based on detection of utilization of saidremote access channel, determining that said online banking account isused as a mule bank account to illegally receive and transfer money.

In some embodiments, the method comprises: (A) sampling touch-basedgestures of a touch-screen of said computing device; (B) samplingaccelerometer, gyro and device orientation data of said computingdevice, during a time period which at least partially overlaps saidsampling of touch-based gestures of the touch-screen of the computingdevice; (C) based on a mismatch between (i) sampled touch-basedgestures, and (ii) sampled accelerometer, gyro and device orientationdata, determining that the computing device was controlled remotely viaa remote access channel; (D) based on detection of utilization of saidremote access channel, determining that said online banking account isused as a mule bank account to illegally receive and transfer money.

In some embodiments, the method comprises: (A) based on analysis of userinteractions with said computing device, determining that said computingdevice is communicating with said banking account via a proxy server;(B) based on detection of utilization of said proxy server, determiningthat said online banking account is used as a mule bank account toillegally receive and transfer money.

In some embodiments, the method comprises: (A) based on analysis of userinteractions with said computing device, determining that said computingdevice is communicating with said banking account via a virtual machine;(B) based on detection of utilization of said virtual machine,determining that said online banking account is used as a mule bankaccount to illegally receive and transfer money.

In some embodiments, the method comprises: (A) sampling interactions ofsaid user with said computing device during multiple online accesses tosaid banking account, and creating a user-specific profile of theinteraction of said user with an input unit of said computing device;(B) matching said user-specific profile with fresh interactions of saiduser during a fresh online access to said banking account; (C) based onsaid matching, determining that said online banking account is used as amule bank account to illegally receive and transfer money.

In some embodiments, the method comprises: (A) sampling interactions ofsaid user with said computing device during multiple online accesses tosaid banking account, and creating a user-specific profile of theinteraction of said user with an input unit of said computing device;(B) matching said user-specific profile with interactions of said userwith said banking account via an electronic device that is differentfrom said computing device; (C) based on said matching, determining thatsaid online banking account is used as a mule bank account to illegallyreceive and transfer money.

In some embodiments, the method comprises: (A) monitoring and analyzinginteractions of said user, who utilizes said computing device totransfer funds from said online banking account to a target bankingaccount that is not accessed by said computing device; (B) based on saidanalyzing, determining that said target banking account, that is notaccessed by said computing device, is used as a mule bank account toillegally receive and transfer money.

In some embodiments, the method comprises: (A) monitoring and analyzinginteractions of said user, who utilizes said computing device totransfer funds from said online banking account to a target bankingaccount that is not accessed by said computing device; and creating afirst user-specific profile based on said interactions monitored andanalyzed in step (A); and (B) monitoring and analyzing interactions ofanother user, who utilizes another computing device to access saidtarget bank account; and creating a second user-specific profile basedon said interactions monitored and analyzed in step (B); and (C)determining a match between the first user-specific profile and thesecond user-specific profile; and (D) based on said match, determiningthat said target bank account is used as a mule bank account toillegally receive and transfer money.

In some embodiments, the method comprises: (A) monitoring incomingtransfers into said online banking account; (B) analyzing temporalrelationship between (i) said incoming transfers, and (ii) interactionsof said user via said computing device with said online banking account;(C) based on analysis of said temporal relationship, determining thatsaid target bank account is used as a mule bank account to illegallyreceive and transfer money.

In some embodiments, the method comprises: (A) monitoring and analyzinguser interactions during multiple, different, usage sessions in whichsaid online bank account was accessed; (B) based on step (A), creating aplurality of user-specific profiles that correspond to a plurality ofusers that accessed said online bank account, and generating anestimated number of said plurality of users that accessed said onlinebank account; (C) based on step (B), determining that said target bankaccount is used as a mule bank account to illegally receive and transfermoney.

In some embodiments, the method comprises: (A) monitoring and analyzinguser interactions during usage sessions in which said online bankaccount was accessed, and generating a primary user-specific interactionprofile that characterizes the interactions of said user with saidonline bank account; (B) monitoring and analyzing interactions of usersduring usage sessions in which other online bank account were accessed;and generating, respectively, a plurality of user-specific interactionprofiles; (C) detecting a match between (I) said primary user-specificinteraction profile that was generated in step (A), and (II) anotheruser-specific interaction profile that was generated in step (B)pertaining to another online bank account; (D) based on said match,determining that at least one bank account is utilized by said user as amule bank account to illegally receive and transfer money.

In some embodiments, the method comprises: (A) monitoring and analyzinguser interactions during online accesses to multiple different bankingaccounts; (B) based on step (A), determining that a particular bankingaccount is accessed by a particular user which also accesses one or moreother online banking accounts; (C) based the determining of step (B),determining that at least one bank account is utilized by said user as amule bank account to illegally receive and transfer money.

In some embodiments, the method comprises: (A) monitoring and analyzinguser interactions during a single usage session in which said onlinebank account was accessed; (B) detecting that the user interactions insaid single usage session, match a pre-defined playbook of steps thatcharacterizes operations in a mule bank account; (C) based on thedetecting of said (B), determining that said online bank account wasused as a mule bank account to illegally receive and transfer money.

In some embodiments, the method comprises: (A) monitoring and analyzinguser interactions during multiple usage sessions in which said onlinebank account was accessed; (B) detecting that the user interactions insaid multiple usage session, comprise: (i) an incoming funds transfer,and (ii) a subsequent outgoing funds transfer, and (iii) lack of cashwithdrawals, and (iv) lack of check withdrawals; (C) based on thedetecting of said (B), determining that said online bank account wasused as a mule bank account to illegally receive and transfer money.

In some embodiments, the method comprises: (A) monitoring and analyzinguser interactions during multiple usage sessions in which said onlinebank account was accessed; (B) detecting that the user interactions insaid multiple usage session, comprise: (i) multiple incoming fundstransfer that are incoming from a plurality of different countries, and(ii) multiple outgoing funds transfers that are outgoing to a singlecountry that is different from said plurality of different countries;and further detecting that each incoming funds transfer is followed,with N hours, by an outgoing funds transfer of at least K percent of theincoming funds; wherein N is a pre-defined positive value; wherein K isa pre-defined positive value; (C) based on the detecting of said (B),determining that said online bank account was used as a mule bankaccount to illegally receive and transfer money.

In some embodiments, the method comprises: (A) receiving a list of bankaccounts that are known to be mule bank accounts; analyzing userinteractions that were performed via input units of computing devices byusers that accessed said mule bank accounts; and extracting a set ofinteraction features that characterize the user interactions acrossmultiple mule bank accounts; (B) subsequently, checking whether userinteractions in a particular bank account, match said set of interactionfeatures that were extracted in step (A); and if the checking result ispositive, then determining that said particular bank account was used asa mule bank account to illegally receive and transfer money.

In some embodiments, the method comprises: (A) detecting that a set ofbanking operations comprise: (i) a first funds transfer from a firstbank account to a second bank account, followed by (ii) a second fundstransfer from the second bank account to a third bank account; (B)analyzing (i) a first set of user interactions that were performed in afirst usage session in which funds were transferred out from the firstbank account, and also (ii) a second set of user interactions that wereperformed in a second usage session in which funds were transferred outfrom the second bank account to the third bank account; and detecting aset of user-specific features that appear in both the first set of userinteractions and the second set of user interactions; (C) based on thedetecting of step (B), then: (I) determining that said first bankaccount was a victim bank account, and (II) determining that said secondbank account was used as a mule bank account, and (III) determining thatsaid third bank account was used as a real destination bank account.

In some embodiments, the method comprises: (A) analyzing userinteractions with said computing device, and determining that anoutgoing funds transfer was commanded by said user interactions whilesaid user is located remotely from said computing device and iscontrolling remotely said computing device via said remote accesschannel; (B) based on detection of utilization of said remote accesschannel to perform said outgoing funds transfer, determining that saidonline banking account is used as a mule bank account to illegallyreceive and transfer money.

In some embodiments, the method comprises: (A) analyzing userinteractions with said computing device, and determining that anoutgoing funds transfer was commanded by said user interactions whilesaid user was utilizing a Virtual Machine to access said bank account;(B) based on detection of utilization of the Virtual Machine to performsaid outgoing funds transfer, determining that said online bankingaccount is used as a mule bank account to illegally receive and transfermoney.

In some embodiments, the method comprises: (A) analyzing userinteractions with said computing device, and determining that anoutgoing funds transfer was commanded by said user interactions whilesaid user was utilizing a proxy server to access said bank account; (B)based on detection of utilization of the proxy server to perform saidoutgoing funds transfer, determining that said online banking account isused as a mule bank account to illegally receive and transfer money.

In some embodiments, the method comprises: generating a notificationalert that said online bank account is utilized as a mule bank account.

Although portions of the discussion herein relate, for demonstrativepurposes, to wired links and/or wired communications, some embodimentsof the present invention are not limited in this regard, and may includeone or more wired or wireless links, may utilize one or more componentsof wireless communication, may utilize one or more methods or protocolsof wireless communication, or the like. Some embodiments may utilizewired communication and/or wireless communication.

The present invention may be implemented by using hardware units,software units, processors, CPUs, DSPs, integrated circuits, memoryunits, storage units, wireless communication modems or transmitters orreceivers or transceivers, cellular transceivers, a power source, inputunits, output units, Operating System (OS), drivers, applications,and/or other suitable components.

The present invention may enable machines and/or computerized systems tohave new capabilities and/or new functions that were not available tosuch machines or systems so far; including, for example: a newcapability to correctly differentiate among multiple human users; a newcapability for machines or computerized systems to differentiate between(I) a legitimate or “naïve” user, and (II) a fraudster or a human userhaving criminal intent or an illegitimate user; a new capability formachines or computerized systems allowing the machine or thecomputerized system to defend itself or to protect itself againstcyber-attacks and/or illegitimate operations, and/or against impostorsor identity-thieves or dishonest users; a new capability for machines orcomputerized systems to correctly identify and/or detect that a currentuser of an online resource or an online destination, is not the samehuman user that had accessed the same resource previously, even if thetwo access sessions were performed via the same device and/or via thesame browser or application and/or from the same IP address and/or whenthe user/s are already logged-in and/or are already authenticated; a newcapability for machines or computerized systems to defend or protectthemselves against fraudulent transactions or criminal behavior oragainst hackers, crackers, human hackers, automated hacking tools, “bot”or other automated scripts; a new capability for machines orcomputerized systems to initiate and to perform fraud-mitigationoperations based on analysis of user interactions; improved securityand/or integrity and/or reliability of machines and computerizedsystems; and/or other new capabilities that conventional machines andconventional computerized systems do not have and that the presentinvention provides.

Embodiments of the present invention may be utilized with a variety ofdevices or systems having a touch-screen or a touch-sensitive surface;for example, a smartphone, a cellular phone, a mobile phone, asmart-watch, a tablet, a handheld device, a portable electronic device,a portable gaming device, a portable audio/video player, an AugmentedReality (AR) device or headset or gear, a Virtual Reality (VR) device orheadset or gear, a “kiosk” type device, a vending machine, an AutomaticTeller Machine (ATM), a laptop computer, a desktop computer, a vehicularcomputer, a vehicular dashboard, a vehicular touch-screen, or the like.

The system(s) and/or device(s) of the present invention may optionallycomprise, or may be implemented by utilizing suitable hardwarecomponents and/or software components; for example, processors,processor cores, Central Processing Units (CPUs), Digital SignalProcessors (DSPs), circuits, Integrated Circuits (ICs), controllers,memory units, registers, accumulators, storage units, input units (e.g.,touch-screen, keyboard, keypad, stylus, mouse, touchpad, joystick,trackball, microphones), output units (e.g., screen, touch-screen,monitor, display unit, audio speakers), acoustic microphone(s) and/orsensor(s), optical microphone(s) and/or sensor(s), laser or laser-basedmicrophone(s) and/or sensor(s), wired or wireless modems or transceiversor transmitters or receivers, GPS receiver or GPS element or otherlocation-based or location-determining unit or system, network elements(e.g., routers, switches, hubs, antennas), and/or other suitablecomponents and/or modules.

The system(s) and/or devices of the present invention may optionally beimplemented by utilizing co-located components, remote components ormodules, “cloud computing” servers or devices or storage, client/serverarchitecture, peer-to-peer architecture, distributed architecture,and/or other suitable architectures or system topologies or networktopologies.

In accordance with embodiments of the present invention, calculations,operations and/or determinations may be performed locally within asingle device, or may be performed by or across multiple devices, or maybe performed partially locally and partially remotely (e.g., at a remoteserver) by optionally utilizing a communication channel to exchange rawdata and/or processed data and/or processing results.

Some embodiments may be implemented by using a special-purpose machineor a specific-purpose device that is not a generic computer, or by usinga non-generic computer or a non-general computer or machine. Such systemor device may utilize or may comprise one or more components or units ormodules that are not part of a “generic computer” and that are not partof a “general purpose computer”, for example, cellular transceivers,cellular transmitter, cellular receiver, GPS unit, location-determiningunit, accelerometer(s), gyroscope(s), device-orientation detectors orsensors, device-positioning detectors or sensors, or the like.

Discussions herein utilizing terms such as, for example, “processing”,“computing”, “calculating”, “determining”, “establishing”, “analyzing”,“checking”, “detecting”, “measuring”, or the like, may refer tooperation(s) and/or process(es) of a processor, a computer, a computingplatform, a computing system, or other electronic device or computingdevice, that may automatically and/or autonomously manipulate and/ortransform data represented as physical (e.g., electronic) quantitieswithin registers and/or accumulators and/or memory units and/or storageunits into other data or that may perform other suitable operations.

The terms “plurality” and “a plurality”, as used herein, include, forexample, “multiple” or “two or more”. For example, “a plurality ofitems” includes two or more items.

References to “one embodiment”, “an embodiment”, “demonstrativeembodiment”, “various embodiments”, “some embodiments”, and/or similarterms, may indicate that the embodiment(s) so described may optionallyinclude a particular feature, structure, or characteristic, but notevery embodiment necessarily includes the particular feature, structure,or characteristic. Repeated use of the phrase “in one embodiment” doesnot necessarily refer to the same embodiment, although it may. Repeateduse of the phrase “in some embodiments” does not necessarily refer tothe same set or group of embodiments, although it may.

As used herein, and unless otherwise specified, the utilization ofordinal adjectives such as “first”, “second”, “third”, “fourth”, and soforth, to describe an item or an object, merely indicates that differentinstances of such like items or objects are being referred to; and doesnot intend to imply as if the items or objects so described must be in aparticular given sequence, either temporally, spatially, in ranking, orin any other ordering manner.

Functions, operations, components and/or features described herein withreference to one or more embodiments of the present invention, may becombined with, or may be utilized in combination with, one or more otherfunctions, operations, components and/or features described herein withreference to one or more other embodiments of the present invention. Thepresent invention may comprise any possible combinations,re-arrangements, assembly, re-assembly, or other utilization of some orall of the modules or functions or components that are described herein,even if they are discussed in different locations or different chaptersof the above discussion, or even if they are shown across differentdrawings or multiple drawings, or even if they are depicted in anydrawing(s) without necessarily being connected via a line or an arrow.

Some embodiments of the present invention may comprise, or may utilize,one or more of the following units, modules, systems, devices,operations, and/or examples.

Some embodiments may comprise a device, method, and system of detectinguser identity based on motor-control loop model. A includes: during afirst session of a user who utilizes a pointing device for interactingwith a computerized service, monitoring the pointing device dynamics andgestures of the user; based on the monitored dynamics and gestures,estimating parameters that characterize a sensorimotor control loopmodel of the user; storing in a database a record indicating that theuser is associated with the parameters that characterize thesensorimotor control loop model of the user.

Some embodiments of the present invention may include a methodcomprising: (a) during a first session of a user who utilizes a pointingdevice for interacting with a computerized service, monitoring on-screenmovements of an on-screen pointer; (b) defining a sensorimotor controlloop model by utilizing at least a function that takes into account atleast (A) a first trajectory parameter indicating current velocity ofpointing device movement, and (B) a second trajectory parameterindicating translation error; (c) by analyzing estimated dynamics of thepointing device, determining (AA) at least one sensorimotor control loopparameter that characterizes utilization of said pointing device by saiduser, and (BB) at least one parameter corresponding to a noisecharacteristic of the sensorimotor control loop that characterizesutilization of said pointing device by said user; (d) differentiatingbetween (i) said user and (ii) one or more other users, based on (AA)said at least one sensorimotor control loop parameter that characterizesutilization of said pointing device by said user, and (BB) said at leastone parameter corresponding to the noise characteristics of thesensorimotor control loop that characterizes utilization of saidpointing device by said user.

In some embodiments, the method comprises: storing in a database arecord indicating that said user is associated with said parameters thatcharacterize the sensorimotor control loop model of said user; in asubsequent session of interaction with said computerized service:monitoring pointing device dynamics and gestures of a subsequent user,estimating current parameters that characterize a sensorimotor controlloop of said subsequent user, comparing the current parameters to saidrecord of parameters, and based on results of said comparing,determining whether said subsequent user of the second session is thesame person as said user of the first session.

In some embodiments, the method comprises: based on the monitoredpointing device dynamics and gestures of said user, estimating whetheror not an elbow of said user is resting on a surface; based onestimation of whether or not the elbow of said user is resting on thesurface, differentiating between said user and another user interactingwith said computerized service.

In some embodiments, the method comprises: based on the monitoredpointing device dynamics and gestures of said user, estimating whetherthe user is right-handed; based on estimation of whether said user isright-handed, differentiating between said user and another userinteracting with said computerized service. In some embodiments, themethod comprises: based on the monitored pointing device dynamics andgestures of said user, estimating an eye saccade model of said user;based on the estimated eye saccade model of said user, differentiatingbetween said user and another user interacting with said computerizedservice.

Some embodiments may comprise a monitoring module for monitoring usageof an electronic device, the monitoring module configured to perform amethod comprising: (a) during a first session of a user who utilizes apointing device for interacting with a computerized service, monitoringon-screen movements of an on-screen pointer; (b) defining a sensorimotorcontrol loop model by utilizing at least a function that takes intoaccount at least (A) a first trajectory parameter indicating currentvelocity of pointing device movement, and (B) a second trajectoryparameter indicating translation error; (c) by analyzing estimateddynamics of the pointing device, determining (AA) at least onesensorimotor control loop parameter that characterizes utilization ofsaid pointing device by said user, and (BB) at least one parametercorresponding to a noise characteristic of the sensorimotor control loopthat characterizes utilization of said pointing device by said user;wherein said determining comprises: generating a function that describesthe sensorimotor control loop model that causes said on-screen movementsof said on-screen pointer; (d) differentiating between (i) said user and(ii) one or more other users, based on said function that describes thesensorimotor control loop model.

In some embodiments, the monitoring module is further configured toperform: storing in a database a record indicating that said user isassociated with said parameters that characterize the sensorimotorcontrol loop model of said user; in a subsequent session of interactionwith said computerized service: monitoring pointing device gestures of asubsequent user, estimating current parameters that characterize asensorimotor control loop of said subsequent user, comparing the currentparameters to said record of parameters, and based on results of saidcomparing, determining whether to authenticate identity of saidsubsequent user. In some embodiments, the monitoring module is furtherconfigured to perform: estimating a user-specific muscular profile whichcharacterizes the motor control loop; estimating a user-specificcoordination index which characterizes the motor control loop;differentiating between two or more users based on the user-specificmuscular profile and the user-specific coordination index. In someembodiments, the monitoring module is further configured to perform:based on the monitored pointing device dynamics and gestures of saiduser, estimating one or more parameters characterizing an eye-handcognitive correction feedback of said user; based on the estimated oneor more parameters characterizing the eye-hand cognitive correctionfeedback of said user, differentiating between said user and anotheruser interacting with said computerized service. In some embodiments,the monitoring module is further configured to perform: based on themonitored pointing device dynamics and gestures of said user, estimatingan eye-hand coordination model of said user in response to an introducedinterference to user experience at said computerized service; based onthe estimated eye-hand coordination model of said user in response tothe introduced interference to user experience at said computerizedservice, differentiating between said user and another user interactingwith said computerized service.

Some embodiments comprise a monitoring system for monitoring usage of anelectronic device, the monitoring system configured to perform a methodcomprising: (a) during a first session of a user who utilizes a pointingdevice for interacting with a computerized service, monitoring on-screenmovements of an on-screen pointer; (b) defining a sensorimotor controlloop model by analyzing the on-screen movements of the on-screenpointer; (c) by analyzing estimated dynamics of the pointing device,determining (AA) at least one sensorimotor control loop parameter thatcharacterizes utilization of said pointing device by said user, and (BB)at least one parameter corresponding to a noise characteristic of thesensorimotor control loop that characterizes utilization of saidpointing device by said user; wherein said determining comprises:generating a function that describes the sensorimotor control loop modelthat causes said on-screen movements of said on-screen pointer; (d)differentiating between (i) said user and (ii) one or more other users,based on said function that describes the sensorimotor control loopmodel. In some embodiments, the monitoring system is further configuredto perform: estimating parameters of a sensorimotor control loop whichcomprises eye, hand, and brain coordination and control of the pointingdevice. In some embodiments, the monitoring system is further configuredto perform: presenting to said user a number of choices; subsequently,modifying the number of choices presented to said user; based on themonitored pointing device dynamics and gestures of said user, estimatinga level of awareness of said user to modification of the number ofchoices; based on the estimated level of awareness of said user,differentiating between said user and another user interacting with saidcomputerized service. In some embodiments, the monitoring system isfurther configured to perform: based on the monitored pointing devicedynamics and gestures of said user, estimating parameters of a Fitts'sLaw function indicating ability of said user to rapidly reach anon-screen target; based on the estimated parameters of the Fitts's Lawfunction of said user, differentiating between said user and anotheruser interacting with said computerized service.

In some embodiments, the monitoring system is further configured toperform: based on the monitored pointing device dynamics and gestures ofsaid user, estimating a level of accuracy of said user in reaching anon-screen user interface element; based on the estimated level ofaccuracy of said user, differentiating between said user and anotheruser interacting with said computerized service.

Some embodiments comprise a computer-implemented process comprising: (a)during a usage session of a user who utilizes a pointing device forinteracting with a computerized service, monitoring on-screen movementsof an on-screen pointer; (b) analyzing the on-screen movements of theon-screen pointer to derive from them estimated dynamics of the pointingdevice as utilized by said user, and to define a sensorimotor controlloop model that characterizes the utilization of said pointing device bysaid user; (c) differentiating between (i) said user and (ii) one ormore other users, based on a subsequent analysis of subsequent on-screenmovements of the on-screen pointer which correspond to pointing devicedynamics that do not match said sensorimotor control loop model that wasdefined for said user. In some embodiments, estimating parameters of amotor control loop of said user comprises: estimating the parametersthat characterize the sensorimotor control loop as a function oftranslation error, current velocity, and motor control noise, based onmonitored pointing device dynamics and gestures. In some embodiments,the process comprises: estimating parameters of a first sensorimotorcontrol loop, associated with pointing device based interaction of afirst user during a first session at a first computerized service;estimating parameters of a second sensorimotor control loop, associatedwith pointing device based interaction of a second user during a secondsession at a second, different, computerized service; if the parametersof the first sensorimotor control loop match the parameters of thesecond sensorimotor control loop, then determining that the first userand the second user are the same person. In some embodiments, estimatingthe parameters of the sensorimotor control loop comprises: estimatingparameters of a sensorimotor control loop which comprises sensory organ,muscle, and brain. In some embodiments, the process comprises: based onthe monitored pointing device dynamics and gestures of said user,estimating both movement agility and movement dexterity of said user;based on both the estimated movement agility and the estimated movementdexterity of said user, differentiating between said user and anotheruser interacting with said computerized service.

The present invention may include, for example, systems, devices, andmethods for detecting identity of a user of an electronic device, andfor determining whether or not an electronic device is being used by afraudulent user; as well as for determining identity of a user based onmotor-control loop model.

In some embodiments, a method comprises: during a first session of auser who utilizes a pointing device for interacting with a computerizedservice, monitoring the pointing device dynamics and gestures of saiduser; based on the monitored dynamics and gestures, estimatingparameters that characterize a sensorimotor control loop model of saiduser; storing in a database a record indicating that said user isassociated with said parameters that characterize the sensorimotorcontrol loop model of said user. In some embodiments, the methodcomprises, in a subsequent session of interaction with said computerizedservice: monitoring pointing device dynamics and gestures of asubsequent user; estimating current parameters that characterize asensorimotor control loop of said subsequent user; comparing the currentparameters to said record of parameters, and based on results of saidcomparing, determining whether said subsequent user of the secondsession is the same person as said user of the first session.

The present invention may include a non-portable system (e.g., fordesktop computers or for non-portable computing devices) and/or a mobileor portable system (e.g., for mobile devices, smartphones, tablets),which may utilize multi-modal passive-biometric integration ofalgorithms (e.g. kernel-SVM, random forests classification,machine-learning algorithms, non-machine-learning algorithms) applied onfeatures of behavior (e.g., curve features, affine transformation of x-yspace, motor control theory based features, as well as keyboard andmouse synergy such as the time interval between mouse move and keyboardtyping). The systems may actively challenge (interact with) the userunconsciously, thereby allowing active sensing of biometric traits oruser-specific traits (e.g., to deduce user-specific traits of hand-eyecoordination), thereby enabling detection or confirmation of useridentity, or confirmation that a user is indeed the genuine user (e.g.,the account owner), or detecting that a user is estimated to be anon-genuine user or a “fraudster” or cracker or hacker or imposter orillegitimate user.

The passive solution is demonstrated herein in the context of fraudpreventing of a remote access application, for example, accessing a bankaccount or brokerage account over a wired or wireless communication link(e.g., Internet connection, cellular link, Wi-Fi link, WAN, LAN, or thelike). A first method may extract unique cognitive motor parameters;whereas a second method may extract unique behavioral, physiologicaland/or anatomical parameters. Their combination may allow biometricaccuracy for continuous user authentication.

In accordance with the present invention, a first demonstrative methodmay extract and utilize user-specific traits that relate to sensorimotorcontrol (or, motor control) of a pointing device (e.g., a mouse). Thesensorimotor control system is affected by several factors, including,for example, anatomical features, the system's noise level and previoussensorimotor events. As a result, internal representations of theaction-perception loop may differ between users. The method may captureparameters of the action-perception loop in a task that involves usageof the pointing device. These parameters cover, for example, the motorand sensory noise, the control loop parameters, or the like. It isclarified that the discussion herein may utilize, interchangeably, termssuch as “motor control”, “motor control loop”, “motor control loopmodel”, “sensori-motor control”, “sensori-motor control loop”,“sensori-motor control loop model”, and/or similar terms (e.g.,motor-control-related parameters, functions, equations, calculations, orthe like).

By estimating the user's specific sensorimotor control parameters, thesystem may extract user's traits which are more inherent and lesstask-dependent. In a demonstrative model, a movement starts at rest in(X0, Y0) and ends at rest in (X1, Y1), where x and y represent thehorizontal and vertical components of the position of a cursor on ascreen, respectively. In some embodiments, a control loop (e.g., of thesecond order) may assume that the force of the hand on the mouse, may begoverned by a linear combination of two components (or two terms): thetranslation error (the distance to the target), and the currentvelocity.

The translation error (in the x axis) at time (t) may be representedusing Equation (1):

Δx=(x ₁ −x(t))  (1)

The current velocity for the x-axis, Vx (and similarly, Vy for they-axis) may be represented using Equation (2):

$\begin{matrix}{v_{x} = {\frac{d}{dt}{x(t)}}} & (2)\end{matrix}$

Three control loop features, regarding the hand's displacement along thex-axis (and similarly, for the y-axis) may be extracted using Equation(3):

$\begin{matrix}{\frac{d^{2}{x(t)}}{dt^{2}} = {{\alpha_{x}\Delta x} + {\beta_{x}v_{x}} + n_{x}}} & (3)\end{matrix}$

In Equation (3), α_(x) and β_(x) are loop parameters; and n_(x) is thesensorimotor control noise (e.g. Gaussian random variable).

Accordingly, the system may simulate trajectories which may be similarto human traits.

The Applicants have generated illustration of charts which demonstratescharacteristics of control loops that may be determined and/or estimatedin accordance with some demonstrative embodiments of the presentinvention. Each chart describes two hand/mouse movements, represented bysolid and dashed lines. Two charts correspond to a first user(“User-A”), whereas two other charts correspond to a second user(“User-B”). Charts may demonstrate a screen cursor displacement in twodimensions, x and y, resulted by the movement; whereas other chartsdemonstrate the current hand/mouse velocity, as a function of time. Thecharts may demonstrate a second order control loop of two differentusers, characterized by different control loop and noise parametervalues.

Although the velocity curve (e.g., in the second chart) may be differentfor each movement (e.g., solid vs. dashed lines), it may be generated bythe same model parameters. By estimating these parameters, the systemmay distinguish between a genuine user and an intruder or fraudster orimposter, regardless of the specific movements actually performed in aspecific session; as demonstrated by a comparison of “User-A” and“User-B” in the charts, generated by different control loop and noiseparameters values.

This demonstrative model may be extended to take into account othermodels of sensorimotor control, including forward and feedback models.For example, if the error terms are distorted by a non-linear function,such as, sign(x)√{square root over (|x|)}, then the system may achievedifferent properties of movements such as synchronized peak velocitiesfor different movements.

In accordance with the present invention, the motor traits of each usermay be modeled and/or detected, thereby building a model whichcorresponds to each user and represents motor traits of that user. Insome embodiments, for example, a motor model may be built for each userbased on hand movements and/or gestures of the user within K sessions(e.g., K may be equal to 1, or 2, or 5, or 12, or 40, or other positiveinteger, indicating the number of previous sessions). Then, in asubsequent session, actual motor behavior of a tested user may becaptured and compared to the previously-modeled motor behavior of thatuser. If the currently-captured motor behavior corresponds to thepre-calculated user-specific model, then the system may determine thatthe current user is indeed the genuine user. In contrast, if thecurrently-captured motor behavior does not correspond to thepre-calculated user-specific model, then the system may determine or mayestimate that the current user is not the genuine user, and may generatean alert or alarm, may send notification(s) to relevant personnel oradministrators, and/or may require the user to perform additionalsecurity tasks (e.g., to contact a customer service or fraud departmentby phone, to utilize two-factor authentication, to answer one or morepre-defined security questions, or the like).

A demonstrative experiment has collected input from N=64 users, eachuser performing approximately m=40 virtual bank transactions on ademonstration website. For each mouse stroke, the system extractedseveral user-specific features (including sensorimotor control relatedfeatures) and calculated an estimate of the parameters of the linearmodel presented above. The system ranked the features using the randomforest machine learning algorithm. The sensorimotor control relatedfeatures were among the best user-specific features for detecting and/orconfirming user identity.

The Applicants have generated a chart demonstrating some of theexperiment results in accordance with the present invention. Each one ofthree symbols represents a different user. The chart demonstrates thespace of β_(x) and β_(y), averaged over the different strokes in asession (the average number of strokes is per session approximately 50).The chart demonstrates a clear discrimination potential among threeusers (depicted by utilizing three colors or three different symbols),and further demonstrates the system's ability to uniquely identify eachuser according to his or her cognitive behavioral profile.

In accordance with the present invention, hand or cursor trajectoriesmay be used to extract or estimate biometric parameters or user-specificinformation. Some conventional methods attempted to extractuser-specific features that were based on direct measures of thetrajectory, such as the perpendicular error; the limitation of thesemethods is that the less the environment is controlled, the more theuser's activity is heterogeneous and thus the within subject variabilityof some features is high. The present invention utilizes the theory ofsensorimotor control of movement for improved model-based biometrics anduser-specific feature extraction, which may be a robust, taskindependent description of a user's interaction with a computer, acomputing device, an electronic device, a mouse, an input unit, or thelike, and may also predict movement dynamics in a new environment (e.g.,a new application or website or web-page that the user did not accessbefore) and/or under an intentional (undetected) distortion of therelationship between the positions of hand and the cursor (e.g.,visuo-motor rotation). The present invention may allow to predict thebehavior of a particular user under a rotation distortion, given atrained model of the user's sensorimotor control parameters.

The present invention may identify or detect that a user is attemptingto pose as another user. Different users are likely to have differentmotor-control related characteristics. Therefore, different users arelikely to move differently their hand, when controlling an electronicdevice. By modeling and estimating the motor and cognitivecharacteristics of a user, and by utilizing these characteristics totest a new set of data (e.g., an attempt to log in to a email account)the system may detect a fraud or a possible fraud, e.g., a fraudsterattempting to interact with a website that a genuine user had accessedbefore and that the system had already built a sensorimotor controlmodel for the genuine user.

The present invention may address attempts to falsify an identity. If a“bot” or automated program or scripts attempts to falsify identity of ahuman user, it is expected to move the cursor or pointer differentlythan humans in general, and differently than the specific genuine userin particular. By extracting the sensorimotor control parameters of acurrent interaction session, the system may detect suspicious non-humanactivity, posing as a genuine human user. Moreover, if a fraudster opensmultiple accounts, he or she may be over-trained with the targetapplication (or website, or web-page), thereby having a dedicatedtrained sensorimotor control loop for the target application (orwebsite, or web-page); and this in turn might be detected as suspiciousactivity. It is noted that the present invention may avoid capturing anypersonally identifiable information (PII) while extracting and/orutilization of biometric (or user-specific) features.

The present invention may utilize motor-control related modeling andanalysis, in order to extract user-specific traits. Instead of, or inaddition to, searching for repeated patterns in user interactions withinan application, the present invention may utilize a comprehensiveapproach which synergizes system identification, a control-engineeringdiscipline, sensorimotor control related features, and acognitive-science discipline, thereby allowing the system to “reverseengineer” the process in order to find individual parameters forbiometric purposes. This may enable robustness and improved performance,as well as the ability to predict user-specific patterns of movementunder new environment, e.g., as challenge-response.

In accordance with the discipline of control engineering, the presentinvention may utilize system identification (SI) and statistical methodsto build mathematical models of dynamical systems from measured datacorresponding to user interactions or gestures. The system estimates theparameters of a sensorimotor control model which describes theaction-perception loop of the hand-eye coordination in mouse and touchdynamics, by using SI techniques. For example, the system may extractthe motor and sensory noises and the control loop parameters, which maybe used for building a biometric profile.

The system may measure each feature independently for both axes (x-axisand y-axis), and may also measure several statistics over it, e.g.,mean, standard deviation, range, maximum, minimum, kurtosis, skewness,quantiles, or the like. The sensorimotor control model accuracy may beimproved by testing higher orders and linear-non-linear transformationto encapsulate non-linear effects (e.g., based on Fitt's law).

In accordance with the present invention, an experiment was held with200 anonymous users who were directed to a virtual yet realistic bankaccount management website. To demonstrate the concept of reverseengineering of a motor control loop, a user moves the cursor frominitial location X0 to target position X1 (generalization may beperformed, to two dimensions).

The system ranked the features using Random Forest Classification, andyielded motor-control features which were in the top ten list of bestfeatures.

An experiment showed that applying system identification (SI) techniqueson a motor control model of movement may produce highly robust features,which are not based merely on the specific movement statistics, butrather, are based on a generative model which encapsulates cognitivehuman traits or other user-specific traits.

In accordance with the present invention, another demonstrativeembodiment may monitor, identify, and utilize Inter and IntraApplication Usage Stream or interaction stream. The system may capturethe user's application usage behavior, by monitoring and tracking thesequence and time span of each application screen or web-page(inter-page sequence), as well as navigation order and time span betweenthe user-interface elements within each screen or web-page (intra-pagesequence). The system may capture the user's application usage behavior,by monitoring and tracking the user page-specific intra-page behavior,such as, order of navigation between fields (text input, buttons,select-boxes, or the like), angle and/or velocity of entering andexiting each field, average or typical time spent in each field,location of mouse clicks within each field (e.g., right-side, center,left-side), or the like. The system may condition behavioral biometrictraits (e.g., mouse movements, mouse clicks, keystrokes) on theapplication and task; thereby reducing the heterogeneity in behavior dueto the actual software application in use.

The Applicants have generated a map demonstrating utilization ofuser-specific usage stream model, in accordance with the presentinvention. Each one of external circles represents an application or awebsite (or, a specific page in an application or website). Each one ofinner circles represents a user-interface (UI) element (e.g., a dialogbox, a drop-down menu, a radio button, a checkbox, a field in a form, a“submit” button, a button, or the like). Each transition ischaracterized by an associated transition probability. Moreover, eachstate, whether external or internal, is also characterized by the timeduration.

The system may model the behavior as a hierarchical fully observedcontinuous-time Markov chain, where each state is represented by a pagein the first level and an element in the second level. Optionally, someembodiments may extend the model to semi-Markov chain, or Markov renewalprocess.

The user profile may be characterized by the initial distribution tostart with:

State x₀ (Pr(x₀)), the transition probability matrix to move from statex_(t−1) to state x_(t) (Pr(x_(t)|x_(t−1))) and the distribution of timeduration T_(t) given the current state and possibly the previous state:Pr(T_(t)|x_(t),x_(t−1)). These statistics may be estimated from asupervised training set.

When a new session is observed, the system may compare the observedMarkov chain with the empirical expected model by a statistical test;for example, by measuring one or more of: the χ² test of goodness of fit(GOF), the exact goodness of fit, and/or the likelihood or the log ratiotest between the hypothesis that the session belongs to the (declared)user and the hypothesis that it is not. Similarly, the system maycompute the GOF of the observed mean duration per page and the GOF ofthe session length. The first may be done, for example, by thelikelihood of an exponential model, or by computing a two-sampleKolmogorov-Smirnov test.

In accordance with the present invention, different users navigatedifferently between applications (or websites), and within anapplication (or within a website). For example, some users utilize theAlt-Tab key combination in Windows, or shift between browser tabs, moreoften than other users do. Within an application or webpage, some peopleuse some UI elements more than others. For instance, in a bankingwebsite or web-page or application, users perform different tasks andhave different task control-flow (e.g., firstly checking the currentbalance, then making a payment; or, firstly checking online messages,then checking debits, then checking credits). For example, User-A maytypically check his account balance, and only then perform an onlinepayment to a utility company; whereas User-B may typically review asnapshot of her account, then read any waiting messages, and only thenperform an online payment. Even if multiple users have the same workingflow, they may spend different time periods in different applications(or application pages, or application segments) or user-interfaceelements. For example, User-A typically spends approximately 3 to 5seconds reviewing his bank account balance; whereas User-B typicallyspends approximately 18 to 25 seconds reviewing her bank accountbalance.

The Applicants have generated a graph chart demonstrating experimentresults in accordance with the present invention. In a demonstrativeexperiment, information was collected from 30 participants reading aweb-based news site. The system collected the time duration and pagename of the main site categories (e.g., sports, science, politics). Thegraph chart depicts the experiment results, demonstrating receiveroperation curve (ROC) of page stream analysis in that news website. Thehorizontal axis (denoted FP) represents False Positive Error; thevertical axis represents True Positive value. The curved graph line 401indicates the ROC curve, or indicates that the decision by the aboveanalysis that the user is genuine is statistically significant; comparedto the straight graph line 402 which indicates 50% chance to make amistake or to give a true answer, or which indicates 50% chance by pureguessing that the user is genuine (or not genuine).

The present invention utilizes a high level of behavioral-basedbiometric parameters corresponding to application usage flow (or websiteusage flow, or web-page usage flow, or service usage flow), instead of(or in addition to) utilizing low-level motor behavior of mouse dynamicsand/or keystroke dynamics. Optionally, the present invention maycondition the low-level motor behavior to specific application usage,e.g., how do users behave when they perform a certain task in a certainapplication. Some behavioral biometric measurements of keystroke and/ormouse dynamics may be critically dependent on the application or taskwithin an application (e.g., typing speed in a spreadsheet applicationversus a word processing application). By closely monitoring theapplication changes, the system may build and update an interactionbehavioral model which is task-dependent and/or application-dependent.Integrating a general non-application-dependent biometric model withapplication-depended models may further increase biometric performance.

The present invention may identify a “fraudster” or imposter or a userattempting to pose as another individual, or trying to “spoof” thesystem. An imposter would need to replicate the genuine user patterns ofactivity, including time span at each application window (or web-page,or web-section) and user-interface element. This may be highly unlikely,and may be very difficult for a fraudster (or for an automatic script)to know or to predict or to imitate. By combining signal processing andlearning algorithms, the system may generate a specific model for eachgenuine user and test new samples of interaction for their “goodness offit” with the pre-trained model or the previously-generated model (e.g.,built based on previous interaction sessions of that logged-in user).Furthermore, false or fake identity derived from automated scripts orsoftware is likely to have a regular transition rate with smallvariance, which is not typical to humans; and therefore, detecting thistype of fraudulent activity may also be possible. In some embodiments ofthe present invention, no personally identifiable information (PII)needs to be collected or stored in order to allow the biometric modalityto function.

The present invention may include a system. At an overview, for example,a desktop client may run as a Microsoft Windows service, and maycommunicate with a provided Application Programming Interface (API) andwith a server using REST calls or other suitable bindings. The connectorsubscribes to key/mouse/application events, and dispatches the eventstowards or among multiple (e.g., four) receivers or receiver modules.Each of the receiver modules internally buffers the data, as some of thefeatures examined are activity-window related (as opposed tosingle-stroke related). The receiver modules periodically generate newkeys. The rate of the generation may be based on the rate of fresh-dataflow. The keys may be delivered to the encoder, which encrypts andstores them in storage (e.g., volatile or non-volatile storage). Themessaging module may reliably transmit these keys to the server, and mayreceive trust-level indicators in the responses, which may be reportedback via the API. Other suitable architectures may be used.

For example, the system may comprise an API connector which mayinterface with a service, a software, an application, a web-basedservice, a browser-based service, a server-side service or application,a client-side service or application, a web-site, or the like. APIconnector may have access to mouse dynamics, keystroke dynamics, UI andGUI elements displayed and/or used, the particular pages or regions ofthe application that are being used, and/or other data. API connectormay transfer keystroke data to keyboard receiver module; API connectormay transfer mouse strokes data to mouse receiver module; API connectormay transfer key and mouse strokes data to session stream receivermodule; API connector may transfer session state and context data tosession stream receiver module. Other suitable receiver modules may beused.

Keyboard receiver module may comprise, for example, a typing dynamicsmodule able to analyze or determine user-specific characteristics ortraits of typing dynamics; a semantics/formatting module able to definethe context of which the keystrokes being inserted; an activity windowstatistics module able to collect and/or aggregate statistic data aboutthe activity window relative to the monitored keystrokes; and a usagepatterns module able to identify other suitable user-specific usagepatterns that may be derived from analysis of keystrokes. Keyboardreceiver module may output a set or batch, of one or more biometric orbehavioral traits, that are user-specific and correspond to theparticular user interacting via the keyboard in the particular currentsession being monitored. The output feature(s) may be transported to afeatures encoder module.

Mouse receiver module may comprise, for example, a mouse strokesdynamics module able to analyze and/or determine user-specific traitsbased on the captured or monitored mouse strokes dynamics; and anactivity window statistics module able to collect and/or aggregatestatistic data about the activity window relative to the monitored mousedynamics. Mouse receiver module may output a set or batch, of one ormore biometric or behavioral traits, that are user-specific andcorrespond to the particular user interacting via the mouse in theparticular current session being monitored. The output feature(s) may betransported to the features encoder module.

Patterns receiver module may analyze the monitored user interactions inorder to identify and/or detect user-specific behavioral traits; forexample, by utilizing in-field and between-field navigation module ableto detect a pattern of in-field navigation and/or between-fieldnavigation (e.g., performed with the mouse, or performed with the Tabkey); by utilizing a desktop and application usage pattern module ableto detect a usage pattern in the application, such as, online banking,e-commerce, healthcare, email, social networks, etc. Patterns receivermodule may output a set or batch, of one or more biometric or behavioraltraits, that are user-specific and correspond to the particular userutilizing the particular application (or service, or software, orwebsite, or web-page) in the particular current session being monitored.The output feature(s) may be transported to the features encoder module.

Session stream receiver module may receive session state and contextdata, and may detect user-specific behavioral traits related to thesession stream of the particular user being monitored in the currentparticular interaction session. For example, a desktop session tracemodule may monitor and detect the session trace in a desktopapplication; and an in-application session trace module may monitor anddetect the in-application usage trace. The session stream receivermodule may determine, for example, that the user checked her accountbalance before making an online payment; or, that the user reviewed pastorders before placing a new order; or, that the user checked her inboxmessages before performing a wire transfer. Such user-specificbehavioral traits may be transferred to the features encoder module(e.g., for further comparison with previously-captured user-specificbehavioral traits).

The features encoder may utilize short-term memory to temporarily storethe received inputs. The features encoder may encode or translate thereceived inputs into a pre-defined format that allows efficienttransport of the extracted behavioral features to a remote server, usinga messaging layer and a transport element (e.g., a wired or wirelesscommunication link or transceiver).

Server may receive the encoded user-specific features, together withdata indicating which user is currently being monitored (e.g., based onhis username, or based on data corresponding to his username); and mayretrieve from a database or a storage unit previously-stored record(s)for that particular user, indicating previously-stored user-specificfeatures or patterns. The server may compare the currently-capturedbehavioral traits, to previously-captured or typically-identified traitsof that particular user; and may generate one or more responseindicator(s), which may be sent back via the messaging layer and maythen be transported back to the service or software being used by theuser via the API connector.

For example, server may determine that in the currently-monitoredinteraction session, the current user moves between fields by usingmouse clicks; whereas, in all or in 90 percent (or another thresholdpercentage) of past interactions that correspond to the currentlylogged-in user, movement between fields was performed with the Tab keyon the keyboard; and thus, server may send back a response indicating“possibly fraudulent interaction”, which may be used (by itself, or bytaking into account other responses for that user) to trigger furtheractions (e.g., to block the currently logged-in user from performingsubsequent operation, or a certain type of operations, or to require theuser to contact customer service via phone, or the like).

In another example, server may detect that the currently-monitoredlogged-in user is accessing the wire transfer section of a bankingwebsite, immediately after logging-in; whereas, in previous interactionsof that logged-in user, the user had always (or had typically) checkedthe account balance and checked incoming messages before accessing thewire transfer section. Accordingly, server 555 may send back a“suspicious activity” response that may trigger furtheruser-authentication steps or may impose certain usage restrictions whichmay be lifted if the user performs additional authentication measures.

The system may comprise components and/or software modules, able toperform operations, estimations, calculations and/or other tasks asdescribed above, in order to implement the functionalities of thepresent invention. The system may comprise, for example: a pointingdevice that a user may utilize in order to operate (or interact with) anelectronic device and/or to access a system or a service; a pointingdevice monitoring module able to monitor and/or track and/or capture,for example, dynamics and/or gestures related to the pointing device; acontrol loop estimator (or a control loop model estimator) able toestimate or calculate or determine values of parameters thatcharacterize a control loop (or a control loop model) of a user, basedon monitored point device dynamics and/or gestures; and a database tostore records indicating association among users (e.g., logged-in users,and/or non-logged-in users) and their respective control loop models (orthe values of the parameters of their control loop models).

The system may further comprise: a comparator/matching module able tocompare (or match) current values of control loop model of a currentuser, to previously-stored values of control loop model(s) of one ormore previous sessions and/or user(s); a user identity determinationmodule able to determine or to estimate, based on the results of controlloop model parameters comparison, whether or not a current user is thesame person as a previous user; a fraud mitigation module able toperform one or more fraud mitigating steps based on a determination thata current user is not, or may not be, the genuine user (e.g., byrequiring the current user to respond to a challenge, to answer securityquestion(s), to contact customer service by phone, to perform two-stepauthentication or two-factor authentication, or the like).

The system may further comprise: a translation error estimator able toestimate a translation error parameter associated with a user; avelocity estimator able to estimate velocity of dynamics and/or gesturesof a user; a motor control noise estimator able to estimate a motorcontrol noise of a user; an x-axis biometric feature estimator able toestimate a biometric feature or trait of the user along the x-axis basedon monitored point device dynamics and/or gestures; a y-axis biometricfeature estimator able to estimate a biometric feature or trait of theuser along the y-axis based on monitored point device dynamics and/orgestures; a combined x-y axes biometric feature estimator able toestimate a biometric feature or trait of the user along a combination(e.g., a complex combination) of the x-axis and the y-axis, based onmonitored point device dynamics and/or gestures; and a statistics-basedbiometric feature estimator able to estimate a user-specific biometricfeature by calculating a statistics function applied to the x-axiscontrol loop and/or the y-axis control loop (or to a combinationthereof), for example, able to apply mean, standard deviation, range,maximum, minimum, kurtosis, skewness, quantiles, or other function(s).

The system may comprise, for example: a pointing device; a pointingdevice monitoring module; a keyboard allowing a user to inputkeystrokes; a keyboard monitoring module to monitor and/or track and/orstore keystrokes entered by the user; a state-and-context identifiermodule able to identify and store the state and/or the context of aservice or web-site or web-page or application, corresponding to aparticular keystroke or a particular set of keystrokes, and/orcorresponding to particular pointing device dynamics and/or gestures; aUI elements identifier module able to identify and store the UI or GUIelements that are displayed to the user and/or are utilized by the user;a user-specific trait generator to generate a user-specific trait orparameter value, indicating a user-specific service usage pattern; auser-specific inter-application usage pattern identifier module toestimate or calculate a user-specific inter-application usage pattern;and a user-specific intra-application usage pattern identifier module toestimate or calculate a user-specific intra-application usage pattern.

The system may further comprise: a frequent interaction type detector todetermine whether a particular user more frequently utilizes thepointing device or the keyboard in order to perform a particular type ofinteraction with a service; a form fill-out type detector to determinewhether a particular user more frequently utilizes the pointing deviceor the keyboard in order to fill-out a particular form of a service (ora particular field of the service, or a particular data item of theservice); a form submission type detector to determine whether aparticular user more frequently utilizes the pointing device or thekeyboard in order to submit a particular form of a service; and a cursormovement type detector to determine whether a particular user morefrequently utilizes the pointing device or the keyboard in order to movethe cursor within a service (e.g., among fields or among data items ofthe service).

The system may further comprise: a data pasting type detector todetermine whether a particular user more frequently utilizes thepointing device or the keyboard in order to perform a data pasteoperation in a particular form (or a particular field) of a service; apaste-or-type detector to determine whether a particular user morefrequently pastes data into a particular field or, alternatively, morefrequently types data into that particular field; an inter-applicationusage monitoring module to determine a user-specific inter-applicationusage pattern by monitoring and detecting that a particular user, inmost of his/her interactions with a particular service, performs a firstparticular action prior to preforming a second particular action; aninter-application page-sequence monitoring module to determine auser-specific page-sequence within a service or website, by monitoringand detecting that a particular user, in most of his/her interactionswith a particular service or website, visits a first particular pageprior to visiting a second particular page; and an inter-applicationtime-spent monitoring module to determine a user-specificinter-application time-spent trait, by monitoring and detecting that aparticular user, in most of his/her interactions with a particularservice or website, spends a first time-period at a first section (orweb-page) of the service, and spends a second (different) time period ata second section (or web-page) of that service.

The system may further comprise: a field monitoring module to monitorfield(s) in a computerized service and to generate (in coordination withmodule(s) described herein) a user-specific field-usage patternassociated with each field of that service; for example, monitoringand/or taking into account one or more of: (a) a mouse angle of approachto the field, (b) a mouse angle of exit from the field, (c) velocitiesof mouse approach and mouse exit, (d) time period spent within thefield, and/or (e) location of a mouse click event within the field. Thesystem may further comprise a user-specific field-usage patternestimator to determine a user-specific field-usage pattern based on themonitored field(s) and interactions.

The system may further comprise, for example, a database able to storethe above-calculated parameters or traits or user-specific features,with the user to which they correspond; a comparator/matching moduleable to compare (or match) currently-calculated features of a currentusage session, with previously-stored features of a previous usagesessions (or multiple previous usage sessions); a user identitydetection module to determine, based on the comparison results, whetheror not the current user is the same as a previous user (or is thegenuine user); and a fraud mitigation module able to perform one or morefraud mitigating steps based on a determination that a current user isnot, or may not be, the genuine user.

The components and/or modules of the system(s) may be co-located, or maybe distributed over multiple locations, multiple devices, a “cloudcomputing” service or system, a system utilizing client/serverarchitecture, a system utilizing peer-to-peer architecture, or othersuitable implementations. System(s) may be implemented by using, forexample, a processor, a processor core, a Central Processing Unit (CPU),an Integrated Circuit (IC), a logic circuit, a controller, memory units,storage units, input units, output units, wireless communication units(e.g., wireless transceiver), cellular communication units (e.g.,cellular transceiver), wired communication units and/or links, or thelike.

Some embodiments may characterize a user based on (a) the combination orassembly of motor-based units or motoric units (or motor-based elements,or motoric elements), and/or the particular user-specific sequencingand/or ordering and/or timing in which such motoric units are activated.The motoric units may be regarded as the “building blocks” of themotoric system of the human user. A motoric unit may comprise one ormore muscles, nerves, cells, and/or other body parts that may be able tomove, contract, shrink, expand, stretch, or otherwise modify theirproperties. For example, activation of a rapid motoric unit may causeapplication of force (e.g., movement) or other reaction within a shorttime period (e.g., within 20 or 50 or 75 milliseconds, or within therange of 10 to 80 milliseconds); whereas, activation of a slow motoricunit may cause application of force or other reaction within a longertime period (e.g., after at least 80 or 100 or 150 milliseconds).

Different humans may have different muscle profiles or bodily profiles,inherited or genetic profiles, different motoric coordination, differentability to activate and deactivate particular motoric unit(s) withincertain timing or ordering or sequence, and/or other user-specificcharacteristics related to motoric units, which may be extracted orestimated by the present invention and may be utilized for useridentification purposes, user authentication purposes, fraud detectionpurposes, or the like.

In a demonstrative implementation, a movement or a user-interaction withan electronic device or an input unit, may be captured or monitored, andmay be divided into short segments (e.g., each segment corresponding to20 or 30 or 40 or 50 milliseconds). Segments, or batches or sets ofsegments, may be analyzed and/or compared, or may be represented as ahistogram in order to identify user-specific patterns or traits. In oneexample, a first user may move the input device to the right, whileslightly moving it also clockwise (or upwardly; or downwardly); whereas,a second user may move the input device to the right, while slightlymoving it also counter-clockwise (or upwardly; or downwardly). Suchuser-specific traits may be estimated and/or detected, and may beutilized for distinguishing or differentiating among users (e.g., agenuine user versus a fraudulent user).

The Applicants have generated charts of histograms of segments, inaccordance with some demonstrative embodiments of the present invention.The vertical axis in each chart may indicate the percentage out of allmovements (or segments) recorded for a certain type of movement (e.g.,horizontal movement of the input device to the right). The horizontalaxis in each chart may indicate the angular deviation between segments;such that, for example, positive values indicate a clockwise movement ordeviation; whereas, negative values indicate a counter-clockwisemovement or deviation. A first chart may correspond to User A, and asecond chart may correspond to User B. The system may detect that User Atypically performs a slight counter-clockwise movement of the inputdevice, when moving the input device horizontally to the right; whereas,User B typically performs a slight clockwise movement of the inputdevice, when moving the input device horizontally to the right. This maybe used for user identification, user authentication, fraud detection,or other purposes.

A third chart may correspond to User C, and a fourth chart maycorrespond to User D. The variance in each chart may be calculated, inorder to extract user-specific traits related to the sequencing, timingand/or ordering of movements (or segments), which may indicate theuser-specific coordination skills. For example, even though the thirdand fourth charts may not show a clear skew of clockwise orcounter-clockwise movement, the third and fourth charts may demonstratethat User C and User D have different coordination skills or differentcoordination sets; and such user-specific patterns may be used for useridentification, user authentication, fraud detection, or other purposes.

The Applicants have generated is a schematic chart representingcoordination index and muscular profiles of four different users, inaccordance with the present invention. For example, the user-specificmuscular profile may be deduced or estimated; and the user-specificcoordination index may be deduced or estimated. The horizontal axis maycorrespond to the muscular profile; whereas the vertical axis maycorrespond to the coordination index. Four different users (denoted User1, User 2, User 3, and User 4) may have different estimated values ofmuscular profile and/or coordination index, thereby “placing” such fourusers in different locations or regions of the chart; and allowing todifferentiate or distinguish among users, for user identification, userauthentication, fraud detection, or other purposes.

Some embodiments may utilize a combination of one or more user-specificPhysical Biometric (PB) features and/or one or more user-specificCognitive Biometric (CB) features and/or one or more user-specificBehavioral Biometric (BB) features, which may be estimated or extracted,and then utilized for purposes of user identification, identityverification, fraud detection, fraud mitigation, differentiation ordistinguishing among users, or other purposes. In the followingdiscussion, a User Activity Window (UAW) may indicate all the movementsof the input unit (e.g., all mouse movements and/or mouse clicks) duringa usage session or during all usage sessions of a user; and a Stroke mayindicate a part of the UAW. For example, the UAW may be divided intomultiple strokes (or interaction elements, or interaction units), basedon one or more events or triggers or conditions, such as: movement toanother direction in a large angle (e.g., greater than 45 degrees); along pause (e.g., greater than 200 or 300 or 400 milliseconds); amouse-click or double-click (or, a drag-and-drop operation may beregarded as a single stroke); mouse-pointer is moved “out of” the screenor active window; or other criteria for division into strokes.Furthermore, a stroke may optionally be divided into stroke-parts,corresponding to “smooth” portions or parts of that stroke; although, inmany cases, a stroke comprises a single smooth part which is theentirety of that stroke. In a demonstrative implementation, thefollowing user-specific biometric traits may be extracted and thenutilized, individually and/or in various combination(s) with each other.

A demonstrative user-specific biometric trait may comprise estimation ofthe user's arm length (PB-1): For long and straight or nearly-straightparts of a stroke, which are mostly along the X-axis, calculate theaverage radius of curvature; and average over the all strokes in theUAW.

A demonstrative user-specific biometric trait may comprise estimation ofthe user's wrist length (PB-2): For short parts of a stroke which aremostly along the X-axis, calculate the average radius of curvature; andaverage over the all strokes in the UAW.

A demonstrative user-specific biometric trait may comprise estimation ofthe user's (a) wrist range/flexibility of movement and (b) agility, tothe right side (PB-3): For short parts of a stroke going right which aremostly along the X-axis, calculate the length of the part (for range)and the average speed, acceleration, deceleration and jerk along thepart (for agility); and average over the all strokes in the UAW.

A demonstrative user-specific biometric trait may comprise estimation ofthe user's (a) wrist range/flexibility of movement and (b) agility, tothe left side (PB-4): For short parts of a stroke going left which aremostly along the X-axis, calculate the length of the part (for range)and the average speed, acceleration, deceleration and jerk along thepart (for agility); and average over the all strokes in the UAW.

A demonstrative user-specific biometric trait may comprise estimation ofthe user's dexterity of Fine Motor Skills (PB-5). For strokes that endin click on a web-page field: the ratio of stroke length to direct path,speed and angle change at the target (large speed change and shortercorrection means more accuracy and dexterity), start speed,acceleration, deceleration and jerk; the system may combine some or allof these parameters to generate a measure of dexterity. Additionally oralternatively, with disturbances: Disabled button, Input field focusloss, moved target (and more) disturbances, forces the user to repeather access to the button or change speed and angles of approach, therebyallowing again to measure or estimate dexterity.

A demonstrative user-specific biometric trait may comprise estimation ofthe user's fingers range of movement (PB-6). For short parts of a strokewhich are mostly along the Y-axis, calculate the length of the part;average over the all strokes in the UAW.

A demonstrative user-specific biometric trait may comprise estimation ofthe user's mouse-wheel finger range of movement (PB-7): Find (a) maximalnumber of pixels scrolled by consecutive wheel events, and (b) maximalconsecutive number of wheel events with no pause longer than apre-defined value (e.g., 50 or 100 or 150 or 180 milliseconds).

A demonstrative user-specific biometric trait may comprise estimation ofthe user's elbow position (PB-8): Estimate whether or not the user'selbow is in the air (or is resting on a desk or table), by estimatingvariance of the length, speeds and acceleration is short parts ofstrokes going left and/or by estimating variance of the length, speedsand acceleration is short parts of strokes going right.

A demonstrative user-specific biometric trait may comprise estimation ofthe user's left-handedness or right-handedness (PB-9): Estimate whetherthe user is right-handed or left-handed, based on input unitinteractions. For example, right-handed users may have stronger movementto the left than to the right; whereas left-handed users may havestronger movement to the right than to the left. Without disturbance,the system may estimate and compare (a) speed, acceleration,deceleration and jerk to left, with (b) speed, acceleration,deceleration and jerk to right, with regard to short parts of strokesand/or for long parts of strokes; or may otherwise compare the left andright agility, or the ratio of the average speeds and accelerations inPB-3 and PB-4. Additionally or alternatively, introduce a disturbance inwhich the mouse-pointer is stuck or disappears, and determineright-or-left handedness based on the direction of the oval or ellipseor circle that the user performs as a movement to find or refresh themouse-pointer.

A demonstrative user-specific biometric trait may comprise estimation ofthe user's eye-hand coordination model, and/or eye-hand cognitivecorrection model, and/or eye-hand feedback model (CB-1), by estimatingparameters of the user's motor control loop.

A demonstrative user-specific biometric trait may comprise estimation ofthe user's accuracy in reaching an on-screen target by utilizing aninput device (CB-2); for example, as discussed above with reference tobiometric trait PB-5.

A demonstrative user-specific biometric trait may comprise estimation ofthe user's eye saccades and/or smooth pursuit models (CB-3). Forexample, a stream of clicks of dragging of the mouse-pointer may beanalyzed, and optionally, images or video from a front-facing camera ofthe electronic device may be analyzed, in order to estimate uniqueuser-specific features of eye gazes or saccades of the user eye(s).Additionally or alternatively, the smooth pursuit user-specificfeatures, allowing the user's eye(s) to closely follow a moving object,may be tracked and estimated based on similar data.

A demonstrative user-specific biometric trait may comprise estimation ofthe user's eye-hand coordination model (CB-4); for example, by usingCB-2 and/or PB-5. Additionally or alternatively, a disturbance orinterference may be introduced or injected to the user experience, suchas, a rotation disturbance, allowing the system to measure how well(and/or how rapidly) the specific user compensates for such disturbance.Optionally, a compensatory-tracking task may be introduced, optionallydisguised as a short-term interference or disturbance (e.g., without theuser knowing that this is actually a challenge measuring his/hereye-hand coordination).

A demonstrative user-specific biometric trait may comprise estimation ofthe user's awareness (CB-5); for example, by calculating the time thatis required for the specific user to process information when the pageis loaded, and/or when the page is updated (but not reloaded).Additionally or alternatively, an interference may be introduced (e.g.,the mouse-pointer may be disappeared or may become “stuck” ornon-responsive), and the system may measure how long it takes the userto find out that something is “wrong” with the mouse-pointer, and/or howlong it takes the user to find out that the mouse-pointer is operating“normally” again (e.g., the interference being removed).

A demonstrative user-specific biometric trait may comprise estimation ofthe user's reaction time(s) to various events (CB-6). For example,without introducing an interference, the system may calculate the timerequired for the specific user to process event(s) when page is loaded,and/or when the page is updated (and not reloaded). Additionally oralternatively, similarly to CB-5, the system may introduce aninterference or disturbance and measure the user's reaction, forexample, which type of reaction, direction of reactive movement, numberof clicks in reactive action, properties of the reaction such asmovement in circle or oval or straight line(s) or other shapes, the timelength of such reaction, how long it takes the user to initiate thereaction and/or to perform the corrective action and/or to detect thatthe interference was removed, or the like; for example, reaction to themouse-pointer or cursor becoming “stuck” or disappearing, or the“submit” button disappearing, or the like.

A demonstrative user-specific biometric trait may comprise estimation ofthe user's interactions in view of Hick's Law or Hick-Hyman Law (CB-7).For example, the system may introduce an interference which modifies thenumber of choices that are presented to the user on a page, allowing thesystem to estimate the parameter “b” in Hick's law, such that theprocessing time (T) is equal to b x log₂ (n+1), where “n” denotes thenumber of equally probably choices. Additionally or alternatively, avisible Captcha mechanism may be used, and the system may modify thenumber of available choices and estimate the user-specific processingtime or user-specific parameters in Hick's law equation.

A demonstrative user-specific biometric trait may comprise estimation ofthe user's interactions in view of Fitts's Law or Fitts' Law (CB-8). Forexample, the system may monitor the user's interactions to estimate theuser-specific parameters that relate to the time required for that userto rapidly move to a target area, taking into account the distanceand/or the target size. Some implementations may estimate one or moreuser-specific parameters in the Shannon formulation (or other suitableformula) for movement along a single dimension, for example, accordingto which, T=a+b x log₂ (1+D/W); where T indicates the movement time; aindicates the intercept (the start/stop time of the input unit); bindicates the slope, the inherent 1/speed of the device; D indicates thedistance from the starting point to the center of the target; Windicates the width of the target measured along the axis of motion.

A demonstrative user-specific biometric trait may comprise estimation ofthe user-specific page usage stream model (BB-1). For example, thesystem may calculate the probabilities to move from a first page to asecond page (e.g., from a pre-defined list of given pages), byestimating a Markov chain model per website and per user.

A demonstrative user-specific biometric trait may comprise estimation ofthe web-page fields usage stream model (BB-2); for example, calculatingthe probabilities to go from one field to a second field (in a givenlist of fields in a form or in the complete website), by estimating aMarkov chain model per website (and/or per form) and per user.

A demonstrative user-specific biometric trait may comprise estimation ofthe mouse-related behavioral patterns, for a specific form or web-page(BB-3). For example, for each user the system may collect the user'saverage angles of approach to each field, angles of exit from eachfield; speed, acceleration, deceleration and jerk of approach; speed,acceleration, deceleration and jerk of exit; location of clicks in eachfield (e.g., center, right-side, left-side); types of movement (Tab keyversus mouse), Fitts' Law parameters, time of movement between specificfields in the form; and in input fields, the time from click or Tab keyto start of text input and time from end of text input to first mouseevent. Different users have different preferences which may bedetermined uniquely on per-user basis.

A demonstrative user-specific biometric trait may comprise estimation ofthe mouse-related behavioral patterns, for page fields or per a type ofUI elements or GUI elements (e.g., select boxes, buttons, input fields,drop-down menu) (BB-4). For example, the system may measure the user'saverage angles of approach to each UI element, angles of exit from eachUI element; speed, acceleration, deceleration and jerk of approach;speed, acceleration, deceleration and jerk of exit; location of clicksin each UI element (e.g., center, right-side, left-side); types ofmovement (Tab key versus mouse), Fitts' law parameters, time of movementbetween specific UI element in the form; in input fields, the time fromclick or Tab key to start of text input and time from end of text inputto first mouse event. Different users have different preferences whichmay be determined uniquely on per-user basis.

A demonstrative user-specific biometric trait may comprise estimation ofthe user-specific preferences that are reflected in UI interactions(BB-5); for example, determining whether the specific user prefers toscroll with a mouse-wheel or with the arrow keys on the keyboard or withthe scroll bar in the margin of the page or with the scroll line in thetouchpad; usage of the Tab key or the mouse in order to move betweenfields or UI elements; use of the mouse or the Enter key to submit aform or a query; or the like.

Some embodiments may calculate, estimate and/or utilize one or more ofthe following user-specific features, or a combination of some of them:average speed of input unit movement (e.g., mouse movement); standarddeviation of the speed of movement; the 10% percentile (or otherpre-defined percentile) of the speed of movement, or multiple differentpercentiles which may indicate about the user-specific distribution ofspeed-of-movement; average acceleration in the direction of movement(only positive values) (e.g., utilizing PB-2, PB-3, PB-4 and/or PB-6);average acceleration in the direction of movement (only negative values)(e.g., utilizing PB-2, PB-3, PB-4 and/or PB-6); standard deviation ofacceleration in the direction of movement (e.g., utilizing PB-2, PB-3,PB-4 and/or PB-6); the 10% percentile of acceleration in the directionof movement (e.g., utilizing PB-2, PB-3, PB-4 and/or PB-6); the 90%percentile of acceleration in the direction of movement (e.g., utilizingPB-2, PB-3, PB-4 and/or PB-6); the number of positive values ofacceleration in the direction of movement divided by number of negativevalues of acceleration in the direction of movement (e.g., utilizingPB-2, PB-3, PB-4 and/or PB-6); the average acceleration perpendicular tothe direction of movement (only positive values) (e.g., utilizing PB-1,PB-2, PB-3, PB-4 and/or PB-6); the average acceleration perpendicular tothe direction of movement (only negative values) (e.g., utilizing PB-1,PB-2, PB-3, PB-4 and/or PB-6); the median of absolute value of angularvelocity (e.g., utilizing PB-1, PB-2, PB-3, PB-4 and/or PB-6); the 10%percentile of angular velocity (e.g., utilizing PB-1, PB-2, PB-3, PB-4and/or PB-6); the 90% percentile of angular velocity (e.g., utilizingPB-1, PB-2, PB-3, PB-4 and/or PB-6); the standard deviation of angularvelocity (e.g., utilizing PB-1, PB-2, PB-3, PB-4 and/or PB-6); themedian of curvature (e.g., utilizing PB-1, PB-2, PB-3, PB-4 and/orPB-6); the 10% percentile of curvature (e.g., utilizing PB-1, PB-2,PB-3, PB-4 and/or PB-6); the 90% percentile of curvature (e.g.,utilizing PB-1, PB-2, PB-3, PB-4 and/or PB-6); the median speed at aclick event (e.g., utilizing CB-1); the average time between mouse-downand mouse-up events (e.g., zero value indicating none such events); theaverage direction of movement before a click (e.g., angle between themouse at the click event, and the mouse K-events before the click, whereK may be 3 or 5 or other positive integer), optionally taking intoaccount or detecting circular movement prior to the click event, andoptionally utilizing CB-1 and/or CB-2; Ratio of mouse move events to allmouse events; Ratio of mouse click events to all mouse events; Ratio ofmouse wheel events to all mouse events; Ratio of sharp angles to allangles; the average angle of sharp (or wide) angles (e.g., utilizingPB-1, PB-2, PB-3, PB-4, PB-5 and/or PB-6); number or frequency of longbreaks (e.g., a break of more than 100 or 200 or 300 or 400milliseconds); an average break time; number or frequency of large jumpsin movements, such that a large distance exists between two consecutivemouse events (e.g., distance greater than 100 or 150 or 200 pixels);average jump length of such large jumps; average time between last mousemove and the following click-event; or the like.

In some implementations, the speed of movement may be divided into three“bins”; the system may extract features that are the normalized numberof speed values that are in bin X followed by a speed value in bin Y(hence 9 features); which may indicate the tendency of the user to havelarge speed movements followed by low speed movements (or vice versa);and optionally keeping constant the speed bin boundaries for each UAW.

In some embodiments, the system may measure or estimate for each mousepoint/mouse event, in each stroke, some or all of the following 16parameters: Speed (absolute velocity); Absolute acceleration; Absolutejerk (derivative of acceleration); Acceleration in direction ofmovement; Acceleration perpendicular to direction of movement; Affinecurvature; Direction of movement (angle); First derivative of directionof movement; Second derivative of direction of movement; Curvature;First derivative of curvature; Second derivative of curvature; Firstderivative of dual_x; First derivative of dual_y; Second derivative ofdual_x; Second derivative of dual_y; where dual_x and dual_y are thedual coordinates, which may be calculated as:

dual_(x) =v _(y)/(y·v _(x) −x·v _(y))  (4)

dual_(y) =v _(x)/(x·v _(y) −y·v _(x))  (5)

Optionally, the system may calculate or estimate, for each one (or forsome of) the above-mentioned 16 parameters, one or more of the followingten indicators: Average; Standard deviation; Max value-Min value (span);Skewness; Kurtosis; 10% percentile; 25% percentile; 50% percentile; 75%percentile; 90% percentile. The above may yield 160 user-specificfeatures (16 times 10), which may be estimated and/or utilized,individually or in suitable combinations.

Some embodiments may calculate and/or estimate one or more of thefollowing user-specific features (e.g., utilizing CB-1 and/or CB-2and/or PB-5): the total time of each movement or stroke; theStraightness (e.g., ratio between total length of stroke to the directpath or the smoothed path); Stroke length; Pause since previous stroke;Bounding rectangle long side; Bounding rectangle short side; Boundingrectangle area; Bounding rectangle ratio of short to long sides; Linearmotor control model for X axis; Linear motor control model for Y axis;the stroke's starting direction with regard to the stroke's direction;The stroke's ending direction with regard to the stroke's direction;Average speed in direction of stroke; Average speed perpendicular todirection of stroke; Average starting speed; Average starting absoluteacceleration; Average end speed; Average end absolute acceleration;Average starting curvature; Average end curvature; Ratio between totallength of stroke to the direct path (non-smoothed); Median noise(difference between actual path and smoothed path). Other user-specificparameters may be estimated or calculated; for example, related to therotated path in direction of the stroke, and/or related to the rotatedpath perpendicular to the direction of the stroke. The linear motorcontrol model for X axis, and for the Y axis, may be calculates as:

a _(x) =α·v _(x)+β·(x−x _(end))  (6)

a _(y) =α·v _(y)+β·(y−y _(end))  (7)

Some embodiments of the present invention may be utilized in order todifferentiate or distinguish between: an authorized user versus anunauthorized user; a genuine user versus an imposter or fraudster orhacker; a human user versus an automatic script or malware or “bot”; alocal user (e.g., operating a local computing device) versus a remoteuser (authorized, or non-authorized attacker) utilizing a remote accessterminal (or a remote access malware); a first authorized user and asecond authorized user (e.g., husband and wife accessing a joint bankaccount; or two managers or business partners accessing a business bankaccount); a first authorized user and a second, unauthorized, user(e.g., a parent accessing a bank account; and a son or daughter usingthe banking website after the parent has left the computing devicewithout logging-out); and/or for other user identity detection purposes,user identity verification purposes, user authentication purposes,security purposes, fraud detection purposes, fraud mitigation purposes,or the like.

The term “pointing device” as used herein may include, for example, amouse, a trackball, a pointing stick, a stylus, a joystick, amotion-sensing input device, a touch screen, a touch-pad, or the like.

The term “device” or “electronic device” as used herein may include, forexample, a mobile device, a non-mobile device, a non-portable device, adesktop computer, a workstation, a computing terminal, a laptopcomputer, a notebook computer, a netbook computer, a computing deviceassociated with a mouse or a similar pointing accessory, or the like.

The term “genuine user” as used herein may include, for example, anowner of a device; a legal or lawful user of a device; an authorizeduser of a device; a person who has legal authorization and/or legalright to utilize a device, for general purpose(s) and/or for one or moreparticular purpose(s); or the person who had originally defined usercredentials (e.g., username and password) for performing an activitythrough the device.

The term “fraudulent user” as used herein may include, for example, anyperson who is not the “genuine user” of the device; an attacker; anintruder; a man-in-the-middle attacker; a man-in-the-browser attacker;an unauthorized user; an impersonator; a hacker; a cracker; a personattempting to hack or crack or compromise a security measure utilized bythe device or by a system or a service or a website, or utilized by anactivity or service accessible through the device; a fraudster; a humanfraudster; a “bot” or a malware or an automated computerized process(e.g., implemented by using software modules and/or hardware components)which attempts to imitate human behavior or which attempts to act as ifsuch “bot” or malware or process was the genuine user; or the like.

The present invention may be used in conjunction with various suitabledevices and systems, for example, various devices that have atouch-screen; an ATM; a kiosk machine or vending machine that has atouch-screen; a touch-keyboard; a system that utilizes Augmented Reality(AR) components or AR glasses (e.g., Google Glass); a device or systemthat may detect hovering gestures that do not necessarily touch on thescreen or touch-screen; a hovering screen; a system or device thatutilize brainwave analysis or brainwave control in which the user'sbrainwaves are captured or read and the user's brain may directlycontrol an application on the mobile device; and/or other suitabledevices or systems.

Some embodiments may identify multiple (different) users that utilizethe same device, or the same account, before or after a typical userprofile is built, or even during a training period in which the systemlearns the behavioral patterns. This may be used for detection of“friendly fraud” incidents, or identification of users foraccountability purposes, or identification of the user that utilized aparticular function in an Administrator account (e.g., optionally usedin conjunction with a requirement that certain users, or users withcertain privileges, may not share their password or credentials with anyother person); or identification of a licensee in order to detect orprevent software piracy or unauthorized usage by non-licensee user(s),for software or products that are sold or licensed on a per-user basisor a per-seat basis.

In some embodiments, the present invention may be utilized to decrease(or increase, or modify) friction from an authentication process. Forexample, after a login form was filled and submitted by the user, ademonstrative system may skip or not skip an additional authenticationstep (e.g., a security question) if the system recognizes the user asthe genuine user.

In some embodiments, the present invention may be utilized to increase(or decrease, or modify) the system's tolerance for mistakes (or failedattempts) made by the user in an authentication process. For example, ademonstrative system may allow three consecutive failed attempts inlogging-in, and may then “lock” the account and may require that theuser (e.g., a bank customer) to call a customer service number forfurther handling. However, if the present invention is utilized, someembodiments may recognize that although three failed log-in attemptswere performed, they were all performed in a GUI-utilization manner thatclosely matches the previously-stored user-specific profile of GUIutilization; and therefore, the system may become more “forgiving” andmay allow such user one more (or a few more) log-in attempts before“locking” the account or putting the process on hold.

In some embodiments, the system may periodically update theuser-specific GUI-utilization profile, based on the ongoing utilizationby the user. For example, the user may start utilizing the system onJanuary 1st, and the system may utilize ten log-in sessions, performedin January, for generating an initial user-specific profile of GUIutilization. The system may proceed to utilize the generated profile,during 25 subsequent log-in profiles of that user, in the months ofFebruary through June. The system may continue to update theuser-specific profile, based on log-in sessions as they take place.Optionally, the system may discard historic data of GUI-utilization(e.g., in a First-In-First-Out (FIFO) order), since, for example, a usermay change the way of utilizing the GUI over time, due to learning thesystem better, becoming more familiar with the system, getting older inage, or the like. In some embodiments, the system may continuouslyupdate the user-specific profile of GUI utilization,

In some embodiments of the present invention, a method comprises: duringa first session of a user who utilizes a pointing device for interactingwith a computerized service, monitoring the pointing device dynamics andgestures of said user; based on the monitored dynamics and gestures,estimating parameters that characterize a sensorimotor control loopmodel of said user. In some embodiments, the method comprises: storingin a database a record indicating that said user is associated with saidparameters that characterize the sensorimotor control loop model of saiduser. In some embodiments, the method comprises, in a subsequent sessionof interaction with said computerized service: monitoring pointingdevice dynamics and gestures of a subsequent user; estimating currentparameters that characterize a sensorimotor control loop of saidsubsequent user; comparing the current parameters to said record ofparameters, and based on results of said comparing, determining whethersaid subsequent user of the second session is the same person as saiduser of the first session.

In some embodiments, the method comprises, in a subsequent session ofinteraction with said computerized service: monitoring pointing devicegestures of a subsequent user; estimating current parameters thatcharacterize a sensorimotor control loop of said subsequent user;comparing the current parameters to said record of parameters, and basedon results of said comparing, determining whether to authenticateidentity of said subsequent user. In some embodiments, estimatingparameters of a motor control loop of said user comprises: estimatingthe parameters that characterize the sensorimotor control loop as afunction of translation error, current velocity, and motor controlnoise, based on monitored pointing device dynamics and gestures. In someembodiments, estimating parameters of a motor control loop of said usercomprises: estimating a linear control loop model as a linear functionof translation error, current velocity, and motor control noise, basedon monitored pointing device dynamics and gestures.

In some embodiments, the method comprises: estimating parameters of afirst sensorimotor control loop, associated with pointing device basedinteraction of a first user during a first session at said computerizedservice; estimating parameters of a second sensorimotor control loop,associated with pointing device based interaction of a second userduring a second session at said computerized service; if the parametersof the first sensorimotor control loop match the parameters of thesecond sensorimotor control loop, then determining that the first userand the second user are the same person. In some embodiments, the methodcomprises: estimating parameters of a first sensorimotor control loop,associated with pointing device based interaction of a first user duringa first session at a first computerized service; estimating parametersof a second sensorimotor control loop, associated with pointing devicebased interaction of a second user during a second session at a second,different, computerized service; if the parameters of the firstsensorimotor control loop match the parameters of the secondsensorimotor control loop, then determining that the first user and thesecond user are the same person.

In some embodiments, estimating the parameters of the sensorimotorcontrol loop comprises: estimating parameters of a sensorimotor controlloop which comprises sensory organ, muscle, and brain. In someembodiments, estimating the parameters of the sensorimotor control loopcomprises: estimating parameters of a sensorimotor control loop whichcomprises eye, hand, and brain coordination and control of the pointingdevice. In some embodiments, the method comprises: estimating a firstuser-specific biometric feature corresponding to a first motor controlloop of said user across an x-axis; estimating a second user-specificbiometric feature corresponding to a second motor control loop of saiduser across a y-axis.

In some embodiments, the method comprises: estimating a thirduser-specific biometric feature by calculating a statistics function,applied to one of said first and second motor control loops; wherein thestatistics function is selected from the group consisting of: mean,standard deviation, range, maximum, minimum, kurtosis, skewness,quantiles. In some embodiments, the method comprises: estimating a firstuser-specific biometric feature corresponding to a motor control loop ofsaid user across a combination of x-axis and y-axis.

In some embodiments, the method comprises: estimating a user-specificmuscular profile which characterizes the motor control loop; estimatinga user-specific coordination index which characterizes the motor controlloop; differentiating between two or more users based on theuser-specific muscular profile and the user-specific coordination index.In some embodiments, the method comprises: based on the monitoredpointing device dynamics and gestures of said user, estimating a lengthof an arm of said user; based on the estimated length of arm of saiduser, differentiating between said user and another user interactingwith said computerized service.

In some embodiments, the method comprises: based on the monitoredpointing device dynamics and gestures of said user, estimating a lengthof a wrist of said user; based on the estimated length of wrist of saiduser, differentiating between said user and another user interactingwith said computerized service. In some embodiments, the methodcomprises: based on the monitored pointing device dynamics and gesturesof said user, estimating a range of a wrist of said user; based on theestimated range of wrist of said user, differentiating between said userand another user interacting with said computerized service.

In some embodiments, the method comprises: based on the monitoredpointing device dynamics and gestures of said user, estimating level offlexibility of movement of a wrist of said user; based on the estimatedlevel of flexibility of movement of wrist of said user, differentiatingbetween said user and another user interacting with said computerizedservice. In some embodiments, the method comprises: based on themonitored pointing device dynamics and gestures of said user, estimatingmovement agility of said user; based on the estimated movement agilityof said user, differentiating between said user and another userinteracting with said computerized service.

In some embodiments, the method comprises: based on the monitoredpointing device dynamics and gestures of said user, estimating movementdexterity of said user; based on the estimated movement dexterity ofsaid user, differentiating between said user and another userinteracting with said computerized service. In some embodiments, themethod comprises: based on the monitored pointing device dynamics andgestures of said user, estimating a movement range of fingers of saiduser; based on the estimated movement range of fingers of said user,differentiating between said user and another user interacting with saidcomputerized service. In some embodiments, the method comprises: basedon the monitored pointing device dynamics and gestures of said user,estimating a movement range of a mouse-wheel operating finger of saiduser; based on the estimated movement range of the mouse-wheel operatingfinger of said user, differentiating between said user and another userinteracting with said computerized service.

In some embodiments, the method comprises: based on the monitoredpointing device dynamics and gestures of said user, estimating whetheror not an elbow of said user is resting on a surface; based onestimation of whether or not the elbow of said user is resting on thesurface, differentiating between said user and another user interactingwith said computerized service. In some embodiments, the methodcomprises: based on the monitored pointing device dynamics and gesturesof said user, estimating whether the user is right-handed; based onestimation of whether said user is right-handed, differentiating betweensaid user and another user interacting with said computerized service.In some embodiments, the method comprises: based on the monitoredpointing device dynamics and gestures of said user, estimating whetherthe user is left-handed; based on estimation of whether said user isleft-handed, differentiating between said user and another userinteracting with said computerized service.

In some embodiments, the method comprises: based on the monitoredpointing device dynamics and gestures of said user, estimating one ormore parameters characterizing an eye-hand cognitive correction feedbackof said user; based on the estimated one or more parameterscharacterizing the eye-hand cognitive correction feedback of said user,differentiating between said user and another user interacting with saidcomputerized service. In some embodiments, the method comprises: basedon the monitored pointing device dynamics and gestures of said user,estimating a level of accuracy of said user in reaching an on-screenuser interface element; based on the estimated level of accuracy of saiduser, differentiating between said user and another user interactingwith said computerized service. In some embodiments, the methodcomprises: based on the monitored pointing device dynamics and gesturesof said user, estimating an eye saccade model of said user; based on theestimated eye saccade model of said user, differentiating between saiduser and another user interacting with said computerized service. Insome embodiments, the method comprises: based on the monitored pointingdevice dynamics and gestures of said user, estimating a smooth pursuitmovement model of said user; based on the estimated smooth pursuitmovement model of said user, differentiating between said user andanother user interacting with said computerized service.

In some embodiments, the method comprises: based on the monitoredpointing device dynamics and gestures of said user, estimating aneye-hand coordination model of said user in response to an introducedinterference to user experience at said computerized service; based onthe estimated eye-hand coordination model of said user in response tothe introduced interference to user experience at said computerizedservice, differentiating between said user and another user interactingwith said computerized service. In some embodiments, the methodcomprises: based on the monitored pointing device dynamics and gesturesof said user, estimating a level of awareness of said user to afreshly-loaded page of said computerized service; based on the estimatedlevel of awareness of said user, differentiating between said user andanother user interacting with said computerized service. In someembodiments, the method comprises: based on the monitored pointingdevice dynamics and gestures of said user, estimating a level ofawareness of said user to a freshly-modified non-reloaded page of saidcomputerized service; based on the estimated level of awareness of saiduser, differentiating between said user and another user interactingwith said computerized service.

In some embodiments, the method comprises: based on the monitoredpointing device dynamics and gestures of said user, estimating a levelof awareness of said user to a modification in one or more userinterface elements of said computerized service; based on the estimatedlevel of awareness of said user, differentiating between said user andanother user interacting with said computerized service. In someembodiments, the method comprises: presenting to said user a number ofchoices; subsequently, modifying the number of choices presented to saiduser; based on the monitored pointing device dynamics and gestures ofsaid user, estimating a level of awareness of said user to modificationof the number of choices; based on the estimated level of awareness ofsaid user, differentiating between said user and another userinteracting with said computerized service. In some embodiments, themethod comprises: based on the monitored pointing device dynamics andgestures of said user, estimating parameters of a Fitts's Law functionindicating ability of said user to rapidly reach an on-screen target;based on the estimated parameters of the Fitts's Law function of saiduser, differentiating between said user and another user interactingwith said computerized service.

In some embodiments, the method comprises: a monitoring moduleconfigured to operate during a first session of a user who utilizes apointing device for interacting with a computerized service, wherein themonitoring module is to monitor the pointing device dynamics andgestures of said user; a motor control loop model estimator, toestimate, based on the monitored dynamics and gestures, parameters thatcharacterize a sensorimotor control loop model of said user. In someembodiments, the method comprises: a database to store a recordindicating that said user is associated with said parameters thatcharacterize the sensorimotor control loop model of said user; wherein,in a subsequent session of interaction with said computerized service,the monitoring module is to monitor pointing device dynamics andgestures of a subsequent user, wherein the motor control loop modelestimator is to estimate current parameters that characterize asensorimotor control loop of said subsequent user; wherein the systemcomprises a comparator to compare the current parameters to said recordof parameters, and based on comparison results, to determine whethersaid subsequent user of the second session is the same person as saiduser of the first session.

In some embodiments, a method comprises: during a first session of auser, who utilizes a pointing device and a keyboard for interacting witha computerized service, monitoring pointing device dynamics and gesturesand keystrokes of said user; analyzing the monitored pointing devicedynamics and gestures and keystrokes, in relation to (a) state andcontext of said computerized service, and (b) user interface elementsdisplayed by said computerized service; generating a user-specificbiometric trait indicating a user-specific service usage pattern, whichcomprises at least one of: a user-specific inter-application usagepattern, and a user-specific intra-application usage pattern. In someembodiments, the method comprises: monitoring whether said user morefrequently utilizes the pointing device or the keyboard in order toperform a particular type of interaction with said computerized service;based on said monitoring, generating a user-specific intra-applicationusage pattern associated with said user.

In some embodiments, the method comprises: monitoring whether said usermore frequently utilizes the pointing device or the keyboard in order tosubmit a form at said computerized service; based on said monitoring,generating a user-specific intra-application usage pattern associatedwith said user. In some embodiments, the method comprises: monitoringwhether said user more frequently utilizes the pointing device or thekeyboard in order to fill-in data in a form at said computerizedservice; based on said monitoring, generating a user-specificintra-application usage pattern associated with said user. In someembodiments, the method comprises: monitoring whether said user morefrequently utilizes the pointing device or the keyboard in order to movea cursor between fields at said computerized service; based on saidmonitoring, generating a user-specific intra-application usage patternassociated with said user.

In some embodiments, the method comprises: monitoring whether said usermore frequently utilizes the pointing device or the keyboard in order topaste data into a particular field at said computerized service; basedon said monitoring, generating a user-specific intra-application usagepattern associated with said user. In some embodiments, the methodcomprises: monitoring whether said user more frequently (a) pastes datainto a particular field at said computerized service, or (b) types datainto said particular field at said computerized service; based on saidmonitoring, generating a user-specific intra-application usage patternassociated with said user. In some embodiments, the method comprises:determining a user-specific inter-application usage pattern thatindicates that said user, in most of its interactions with saidcomputerized service, performs a first particular action prior toperforming a second particular action; based on said user-specificinter-application usage pattern, determining whether a subsequent userof said computerizes service is the same person as said user.

In some embodiments, the method comprises: determining a user-specificinter-application usage pattern that indicates that said user, in mostof its interactions with said computerized service, visits a firstparticular page of said computerized service prior to visiting a secondparticular page of said computerized service; based on saiduser-specific inter-application usage pattern, determining whether asubsequent user of said computerizes service is the same person as saiduser. In some embodiments, the method comprises: determining auser-specific inter-application usage pattern that indicates that saiduser, in most of its interactions with said computerized service, spendsa first period of time at a first particular page of said computerizedservice prior to spending a second period of time at a second particularpage of said computerized service; based on said user-specificinter-application usage pattern, determining whether a subsequent userof said computerizes service is the same person as said user. In someembodiments, the method comprises: monitoring for each field in acomputerize service, mouse dynamics and gestures for that field; basedon said monitoring, generating a user-specific field-usage patternassociated with said user.

In some embodiments, the method comprises: monitoring for each field ina computerize service, (a) a mouse angle of approach to the field, (b) amouse angle of exit from the field, (c) velocities of mouse approach andmouse exit, (d) time period spent within the field, and (e) location ofa mouse click event within the field; based on said monitoring,generating a user-specific field-usage pattern associated with saiduser. In some embodiments, the method comprises: based on monitoredpointing device dynamics and gestures and based on monitored keystrokesof said user, estimating a user-specific behavioral trait of page-usagestream pattern of said user; based on the estimated user-specificbehavioral trait of page-usage stream pattern of said user,differentiating between said user and another user interacting with saidcomputerized service.

In some embodiments, the method comprises: based on monitored pointingdevice dynamics and gestures and based on monitored keystrokes of saiduser, estimating a user-specific behavioral trait ofmultiple-field-usage stream pattern of said user in relation to multiplefields on a particular page of said computerized service; based on theestimated user-specific behavioral trait of multiple-field-usage streampattern of said user, differentiating between said user and another userinteracting with said computerized service. In some embodiments, themethod comprises: based on monitored pointing device dynamics andgestures of said user, estimating a user-specific behavioral traitcorresponding to angle of approach by said user to an on-screen field ofsaid computerized service; based on the estimated user-specificbehavioral trait of angle of approach of said user, differentiatingbetween said user and another user interacting with said computerizedservice.

In some embodiments, the method comprises: based on monitored pointingdevice dynamics and gestures of said user, estimating a user-specificbehavioral trait corresponding to angle of exit by said user from anon-screen field of said computerized service; based on the estimateduser-specific behavioral trait of angle of exit of said user,differentiating between said user and another user interacting with saidcomputerized service. In some embodiments, the method comprises: basedon monitored pointing device dynamics and gestures of said user,estimating a user-specific behavioral trait corresponding to speed ofapproach by said user to an on-screen field of said computerizedservice; based on the estimated user-specific behavioral trait of speedof approach of said user, differentiating between said user and anotheruser interacting with said computerized service.

In some embodiments, the method comprises: based on monitored pointingdevice dynamics and gestures of said user, estimating a user-specificbehavioral trait corresponding to speed of exit by said user from anon-screen field of said computerized service; based on the estimateduser-specific behavioral trait of speed of exit of said user,differentiating between said user and another user interacting with saidcomputerized service. In some embodiments, the method comprises: basedon monitored pointing device dynamics and gestures of said user,estimating a user-specific behavioral trait corresponding toacceleration of approach by said user to an on-screen field of saidcomputerized service; based on the estimated user-specific behavioraltrait of acceleration of approach of said user, differentiating betweensaid user and another user interacting with said computerized service.

In some embodiments, the method comprises: based on monitored pointingdevice dynamics and gestures of said user, estimating a user-specificbehavioral trait corresponding to acceleration of exit by said user froman on-screen field of said computerized service; based on the estimateduser-specific behavioral trait of acceleration of exit of said user,differentiating between said user and another user interacting with saidcomputerized service. In some embodiments, the method comprises: basedon monitored pointing device dynamics and gestures of said user,estimating a user-specific behavioral trait corresponding to jerk ofapproach by said user to an on-screen field of said computerizedservice; based on the estimated user-specific behavioral trait of jerkof approach of said user, differentiating between said user and anotheruser interacting with said computerized service.

In some embodiments, the method comprises: based on monitored pointingdevice dynamics and gestures of said user, estimating a user-specificbehavioral trait corresponding to jerk of exit by said user from anon-screen field of said computerized service; based on the estimateduser-specific behavioral trait of jerk of exit of said user,differentiating between said user and another user interacting with saidcomputerized service. In some embodiments, the method comprises: basedon monitored pointing device dynamics and gestures of said user,estimating whether said user typically clicks with said pointing device(i) at a center region of a particular user interface element of saidcomputerized service, or (ii) at a right-side region of said particularuser interface element of said computerized service, or (iii) at aleft-side region of said particular user interface element of saidcomputerized service; based on estimation of whether said user typicallyclicks at said center region, at said right-side region, or at saidleft-side region, of said particular user interface element of saidcomputerized service, differentiating between said user and another userinteracting with said computerized service.

In some embodiments, the method comprises: based on monitored pointingdevice dynamics and gestures of said user and based on monitoredkeystrokes of said user, estimating a time period that is typicallyrequired for said user in order to move an on-screen pointer from afirst particular field to a second particular field of said computerizedservice; based on estimation of said time period, that is typicallyrequired for said user in order to move an on-screen pointer from afirst particular field to a second particular field of said computerizedservice, differentiating between said user and another user interactingwith said computerized service. In some embodiments, the methodcomprises: based on monitored pointing device dynamics and gestures ofsaid user and based on monitored keystrokes of said user, estimating atime period that is typically required for said user in order to proceedfrom (i) a click within a particular field of said computerized service,to (ii) typing within said particular field of said computerizedservice; based on estimation of said time period, that is typicallyrequired for said user in order to proceed from (i) click within saidparticular field of said computerized service, to (ii) typing withinsaid particular field of said computerized service, differentiatingbetween said user and another user interacting with said computerizedservice.

In some embodiments, the method comprises: based on monitored pointingdevice dynamics and gestures of said user and based on monitoredkeystrokes of said user, estimating a time period that is typicallyrequired for said user in order to proceed from (i) end of typing withina particular field of said computerized service, to (ii) moving anon-screen pointer away from said particular field of said computerizedservice; based on estimation of said time period, that is typicallyrequired for said user in order to proceed from (i) end of typing withinsaid particular field of said computerized service, to (ii) moving anon-screen pointer away from said particular field of said computerizedservice, differentiating between said user and another user interactingwith said computerized service.

In some embodiments, the method comprises: based on monitored pointingdevice dynamics and gestures of said user and based on monitoredkeystrokes of said user, estimating whether said user typically scrollsa page of said computerized service (i) using a mouse, or (ii) using akeyboard; based on estimation of whether said user typically scrolls apage of said computerized service (i) using a mouse, or (ii) using akeyboard, differentiating between said user and another user interactingwith said computerized service. In some embodiments, the methodcomprises: based on monitored pointing device dynamics and gestures ofsaid user, estimating whether said user typically scrolls a page of saidcomputerized service (i) using mouse-clicks on an on-screen scroll-bar,or (ii) using mouse-wheel; based on estimation of whether said usertypically scrolls a page of said computerized service (i) usingmouse-clicks on an on-screen scroll-bar, or (ii) using mouse-wheel,differentiating between said user and another user interacting with saidcomputerized service.

In some embodiments, the method comprises: based on monitored keystrokesof said user, estimating whether said user typically scrolls a page ofsaid computerized service (i) using arrow-down and arrow-up keys, or(ii) using page-up and page-down keys; based on estimation of whethersaid user typically scrolls a page of said computerized service (i)using arrow-down and arrow-up keys, or (ii) using page-up and page-downkeys, differentiating between said user and another user interactingwith said computerized service. In some embodiments, the methodcomprises: based on monitored pointing device dynamics and gestures ofsaid user, estimating an average pointing device movement speed of saiduser; based on estimation of average pointing device movement speed ofsaid user, differentiating between said user and another userinteracting with said computerized service.

In some embodiments, the method comprises: based on monitored pointingdevice dynamics and gestures of said user, estimating a standarddeviation of pointing device movement speed of said user; based onestimation of standard deviation of pointing device movement speed ofsaid user, differentiating between said user and another userinteracting with said computerized service. In some embodiments, themethod comprises: based on monitored pointing device dynamics andgestures of said user, estimating a distribution of pointing devicemovement speed of said user; based on estimation of distribution ofpointing device movement speed of said user, differentiating betweensaid user and another user interacting with said computerized service.In some embodiments, the method comprises: based on monitored pointingdevice dynamics and gestures of said user, estimating an average ofpositive values of acceleration of pointing device movement of said userin a particular direction; based on estimation of said average ofpositive values of acceleration, differentiating between said user andanother user interacting with said computerized service. In someembodiments, the method comprises: based on monitored pointing devicedynamics and gestures of said user, estimating an average of negativevalues of acceleration of pointing device movement of said user in aparticular direction; based on estimation of said average of negativevalues of acceleration, differentiating between said user and anotheruser interacting with said computerized service.

In some embodiments, the method comprises: based on monitored pointingdevice dynamics and gestures of said user, estimating a standarddeviation of acceleration of pointing device movement of said user in aparticular direction; based on estimation of said standard deviation ofacceleration, differentiating between said user and another userinteracting with said computerized service. In some embodiments, themethod comprises: based on monitored pointing device dynamics andgestures of said user, estimating a ratio between (i) a number ofpositive values of acceleration in a direction of movement, and (ii) anumber of negative values of acceleration in said direction of movement;based on estimation of said ratio, differentiating between said user andanother user interacting with said computerized service. In someembodiments, the method comprises: based on monitored pointing devicedynamics and gestures of said user, estimating an average of positivevalues of acceleration of pointing device movement of said user in adirection perpendicular to a direction of movement of said pointingdevice; based on estimation of said average of positive values ofacceleration, differentiating between said user and another userinteracting with said computerized service.

In some embodiments, the method comprises: based on monitored pointingdevice dynamics and gestures of said user, estimating an average ofnegative values of acceleration of pointing device movement of said userin a direction perpendicular to a direction of movement of said pointingdevice; based on estimation of said average of negative values ofacceleration, differentiating between said user and another userinteracting with said computerized service. In some embodiments, themethod comprises: based on monitored pointing device dynamics andgestures of said user, estimating a median of absolute values of angularvelocity of pointing device movement of said user; based on estimationof median of absolute values of angular velocity of pointing devicemovement of said user, differentiating between said user and anotheruser interacting with said computerized service. In some embodiments,the method comprises: based on monitored pointing device dynamics andgestures of said user, estimating a distribution of angular velocity ofpointing device movement of said user; based on estimation ofdistribution of angular velocity of pointing device movement of saiduser, differentiating between said user and another user interactingwith said computerized service. In some embodiments, the methodcomprises: based on monitored pointing device dynamics and gestures ofsaid user, estimating a median speed of movement at a click event ofsaid pointing device of said user; based on estimation of median speedof movement at a click event of said pointing device of said user,differentiating between said user and another user interacting with saidcomputerized service.

In some embodiments, the method comprises: based on monitored pointingdevice dynamics and gestures of said user, estimating an average of timedifference between a mouseclick-down event and a mouseclick-up event ofsaid pointing device of said user; based on estimation of average oftime difference between a mouseclick-down event and a mouseclick-upevent of said pointing device of said user, differentiating between saiduser and another user interacting with said computerized service. Insome embodiments, the method comprises: based on monitored pointingdevice dynamics and gestures of said user, estimating an averagedirection of pre-mouseclick movements of said pointing device of saiduser; based on estimation of average direction of pre-mouseclickmovements of said pointing device of said user, differentiating betweensaid user and another user interacting with said computerized service.

In some embodiments, the method comprises: based on monitored pointingdevice dynamics and gestures of said user, estimating a ratio between(i) mouse movement events of said user, to (ii) all mouse events of saiduser; based on estimation of said ratio between (i) mouse movementevents of said user, to (ii) all mouse events of said user,differentiating between said user and another user interacting with saidcomputerized service. In some embodiments, the method comprises: basedon monitored pointing device dynamics and gestures of said user,estimating a ratio between (i) mouse click events of said user, to (ii)all mouse events of said user; based on estimation of said ratio between(i) mouse click events of said user, to (ii) all mouse events of saiduser, differentiating between said user and another user interactingwith said computerized service.

In some embodiments, the method comprises: based on monitored pointingdevice dynamics and gestures of said user, estimating a ratio between(i) mouse wheel events of said user, to (ii) all mouse events of saiduser; based on estimation of said ratio between (i) mouse wheel eventsof said user, to (ii) all mouse events of said user, differentiatingbetween said user and another user interacting with said computerizedservice. In some embodiments, the method comprises: based on monitoredpointing device dynamics and gestures of said user, estimating a ratiobetween (i) sharp mouse movements of said user, to (ii) all mousemovements of said user; based on estimation of said ratio between (i)sharp mouse movements of said user, to (ii) all mouse movements of saiduser, differentiating between said user and another user interactingwith said computerized service. In some embodiments, a system comprises:a monitoring module operative during a first session of a user, whoutilizes a pointing device and a keyboard for interacting with acomputerized service, wherein the monitoring module is to monitorpointing device dynamics and gestures and keystrokes of said user; ananalysis module (i) to analyze the monitored pointing device dynamicsand gestures and keystrokes, in relation to (a) state and context ofsaid computerized service, and (b) user interface elements displayed bysaid computerized service, and (ii) to generate a user-specificbiometric trait indicating a user-specific service usage pattern, whichcomprises at least one of: a user-specific inter-application usagepattern, and a user-specific intra-application usage pattern.

The present invention includes a method and device for confirmingcomputer end-user identity. For example, the identity of an end-useroperating a computer is confirmed by analyzing user reactions toaberrations in output. More specifically, an aberration is caused inoutput that the computer provides to an output device, and theend-user's response to the aberration is received. An end-usercharacteristic is extracted from the response and compared to storedcharacteristic responses to find a match. A match is indicative of theidentity of the computer user. It can also be checked whether, aftercausing an aberration in output the end-user responded differently tothe output than if the output did not have the aberration. The lack of adifferent response can be interpreted as indicative that the end-user isa bot.

Some embodiments may comprise a method of confirming the identity of anend-user interacting with a remote server, using an end-user electronicdevice; the method comprising: a. during an interaction session of saidend-user, executed by said end-user via an input unit associated withsaid end-user electronic device, causing an aberration in output that isdisplayed upon an output unit of said end-user device, wherein saidaberration comprises modifying input data from said input unit of saidend-user device, resulting in display of said aberration upon saidoutput unit; b. receiving an end-user response to the displayedaberration from said input unit of said end-user electronic device; c.extracting from said end-user response, a user-specific end-usercharacteristic that is based on the response of a specific end-user tosaid displayed aberration; and d. comparing between the user-specificend-user characteristic extracted from said end-user response; with oneor more stored characteristic responses that are stored in a database ofprior responses of said end-user to displayed aberrations, to find amatch; e. wherein finding a match using said comparison, is indicativeof the identity of the end-user.

In some embodiments, the aberration is causing the output unit todisplay a character that differs from a character specified for displayby the end-user via a keyboard or an emulated keyboard. In someembodiments, the method comprises: repeating the steps of: causing of anaberration, the receiving of the end-user response, the extracting of auser-specific end-user characteristic, and the comparing of theextracted user-specific end-user characteristic with storedcharacteristic responses. In some embodiments, said comparing of theextracted user-specific end-user characteristic with storedcharacteristic responses comprises generating a learning curveassociated with an end-user's responsiveness to aberrations. In someembodiments, generating said learning curve comprises generating thelearning curve by utilizing at least one measurable parameter selectedfrom: the speed of correction for said aberration; an end-user's timefor identification of an aberration; continuity of correction for saidaberration; mistakes made by said end-user during correction for saidaberration; noises in correcting said aberration; and parameters of theefficiency of cursor movement during correction of said aberration.

In some embodiments, an apparatus for confirming the identity of anend-user operating an end-user device, comprises: a processor; and amemory storing instructions that, when executed by the processor, causethe processor to perform a method which comprises: a. during aninteraction session of said end-user, executed by said end-user via aninput unit associated with said end-user electronic device, causing anaberration in output that is displayed upon an output unit of saidend-user device, wherein said aberration comprises modifying input datafrom said input unit of said end-user device, resulting in display ofsaid aberration upon said output unit b. receiving an end-user responseto the displayed aberration from said input unit of said end-userelectronic device; c. extracting from said end-user response, auser-specific end-user characteristic that is based on the response of aspecific end-user to said displayed aberration; and d. comparing betweenthe user-specific end-user characteristic extracted from said end-userresponse; with one or more stored characteristic responses that arestored in a database of prior responses of said end-user to displayedaberrations, to find a match; e. wherein finding a match using saidcomparison, is indicative of the identity of the end-user.

In some embodiments, said input unit is operative to communicate theend-user response to the displayed aberration through a communicationnetwork. In some embodiments, the output unit is a display for human useor an emulated display for a bot, and wherein the aberration comprises adiverted movement of a cursor on the display or on the emulated display,wherein the diverted movement is a diversion from the movement that theend-user entered via a cursor movement device or via an emulated cursormovement device; wherein the cursor movement is diverted by changing oneor more of the following: the ratio of the angle of cursor movementdisplayed, from that specified by said end-user; the magnitude of cursormovement displayed, from that specified by said end-user. In someembodiments, the instructions stored by the memory, when executed by theprocessor, cause the processor to repeat the causing of an aberration,the receiving of the end-user response, the extracting of auser-specific end-user characteristic, and the comparing of theextracted user-specific end-user characteristic with storedcharacteristic responses.

Elaborate schemes have been devised to maintain security duringinteractive sessions between an end-user and a computer. Previously, asimple requirement for a single password sufficed, but maliciousintrusions, by parties sometimes referred to as “hackers”, resumed aftersuch hackers were able to develop methods to bypass simple passwordrequirements. End-users are now typically advised, and sometimes evenrequired, to compose personal passwords of a random or semi-randomnature, such as having at least one capital letter and one lower-caseletter, at least one numeral, and a special character (e.g., “!”, “@”,“$”, and “#”). End-users are often asked to change their passwordsoccasionally, for example, every three months.

Intruders have found ways to by-pass passwords, even those of a randomnature, so other protections schemes have been developed, such as thoserequiring biometric data. One example of such scheme employs afingerprint reader, so an end-user desiring to conduct an interactivesession must supply the fingerprint that is associated with a particularaccount. However, even biometric data can be stolen and then used togain unauthorized access to protected data.

Another growing problem is the use of bots (computer programs that runautomatically) to bypass user authentication schemes. There is a needfor a way to distinguish between bots and humans attempting to begin aninteractive session with a computer.

Another method to confirm user identity is to implement transparentcontinuous authentication (TCA). TCA operates continuously during thewhole user session in order to authenticate users according to theirbehavior or biometric behavior, for example, according to voice. Thistype of TCA may monitor a speaker's voice during an entire conversationwith a call center.

The problem with conventional TCA is that the learning and detectingprocess for user confirmation is very long. Unlike requesting a passwordand waiting for a user response, TCA does not have standard requeststhat produce expected responses from authorized users and unexpectedresponses from unauthorized users. By not prompting particularresponses, the validation method necessarily must take longer due to theneed to wait for distinguishable behavior from users for confirmation.

Two common categories of solutions became known as “log-inauthentication” and “continuous authentication,” the former being morecommon.

Log-in authentication involves the transfer of “secrets” during aninteractive process, such as, login-in, using USB encryption keys, andbiometric authentication (fingerprint, voice, pictures, and evenkeystrokes and mouse dynamics). This type of authentication could bedefeated by unauthorized acquisition of the secrets, such as by phishingor planning Trojan horses.

Continuous authentication, also known as “transparent continuousauthentication” (TCA) involves the collecting of information in thebackground throughout a user session, and this form of authenticationcould detect an unauthorized user after his/her credentials were alreadystolen. Applying this transparent method, a user would not be aware thathis actions are being scrutinized (unlike the awareness, for example, ofbeing asked to provide a password). Examples of TCA include voicerecognition, mouse dynamic recognition, and keystroke analysis. Thedrawback of this method is that the transparent process is by definitionnot an interactive process, so by not “involving” the user theauthentication process last longer. Thus, the user had more freedom toconduct various activities before the authentication was complete. Fromthe perspective of the protection provides, the session is consideredpseudo-random, uncontrolled, unsupervised, and unpredictable.

The present invention provides embodiments that authenticate end-userseither while attempting to begin interactive sessions with computer orthroughout user sessions to determine whether the users are authorizedto use the identities they provide. The embodiments can also distinguishbetween human users and bots. Further, embodiments can determine if oneuser has created multiple identities.

Embodiments of the invention include motor control TCA, which wasdeveloped to prove the significance of current TCA solution dealing withkeyboard and mouse dynamic. The concept implements theory taken from thefield of mechanical robotics to imitate human movements by modeling themotor control as a complex system. A feedback loop facilitates the flowof signals among the eyes, the brain, and muscles.

Another embodiment of the invention is interactive transparentcontinuous authentication, which actually implements transparentcontinuous authentication in the background of a user session withoutthe user being aware of the authentication process but nonethelessstaying involved. Such is achieved by causing interferences (aberration)during user sessions so the users will respond but will not be awarethat a test was in progress. This solution controls the session and ismore predictable than “normal” TCA despite being transparent.

A further embodiment is interactive TCA. Such also provides protectionagainst bots and Trojan horses. These automated intruders do alwaysrespond to interferences (aberrations) as human users do, andinteractive TCA exploits that deficiency as discussed below.

The invention may comprise a method of confirming the identity of anend-user operating a computer. The method includes: causing anaberration in output that the computer provides to an output device;receiving a response to the aberration; extracting from the response anend-user characteristic; and comparing the extracted end-usercharacteristic response with stored characteristic responses to find asimilarity of the end-user's response to a stored response; wherein asimilarity is indicative of the identity of the computer user.

The invention may also comprise an alternate method of confirming theidentity of an end-user operating a computer. More specifically, themethod includes: causing an aberration in output that the computerprovides to an output device; determining whether the end-user respondsdifferently to the output than if the output did not have theaberration; and interpreting the lack of a different response asindicative that the end-user is a bot.

The invention may further comprise a device for confirming the identityof an end-user operating a computer. The device has a processor and amemory. The memory holds instructions that, when executed by theprocessor, cause the processor to: cause an aberration in output thatthe computer provides to an output device; receive a response to theaberration; extract from the response an end-user characteristic; andcompare the extracted end-user characteristic response with storedcharacteristic responses to find a similarity of the end-user's responseto a stored response. A similarity is indicative of the identity of theend-user.

The invention may further comprise a device for confirming the identityof an end-user operating a computer. The device has a processor and amemory. The memory holds instructions that, when executed by theprocessor, cause the device to: cause an aberration in output that thecomputer provides to an output device; determine whether the end-userresponds differently to the output than if the output did not have theaberration; and interpret the lack of a different response as indicativethat the end-user is a bot.

Human physiological features differ from one person to the next, andknowledge of such differences can be exploited to identify a computerend-user (or “user”) based on how he/she uses the computer. Thisidentification is made possible by observing characteristic responses ofa user to unexpected output when using the computer.

As an example, consider a computer operatively connected to the displayand to a mouse that a user slides along the mouse pad to alter theposition of a mouse cursor displayed in the image on the display. Themouse cursor in this example is initially located at point A, and theuser wants to reposition the cursor to point B. To effect such change inposition, the user grasps with his hand the mouse, located at point A′on the mouse pad, and slides it to point B′.

The change in cursor position on the display is represented by astraight line, and the user may think of the associated motion as linearor more likely not even think consciously about the shape of the mouse'spath at all. In this example, the shape of mouse's path is curved, forthe following reason: the user rests his elbow or on a prominent forearmmuscle near the elbow on a region of a stationary surface, such as adesktop or a chair armrest, to act as a pivot point for the forearm asthe forearm moves from position to position to change the mouselocation. Although the mouse's path is represented as an arc of acircle, more often the shape of such path is more complex, because thelocations of the points A′ and B′ and the region and length of theuser's forearm are unlikely to be such that the user can move the mouseas needed by only a simple pivoting of the forearm. It may be necessaryto flex and/or extend the forearm muscles and perhaps also to move orremove the pivot point.

The exact motion of the mouse's path on the mouse pad affects the shapeof the cursor's path on the display, and the shape of the cursors pathwill usually differ from one user to the next due to differingphysiological features, such as the length of the users' forearms andmuscle characteristics. With sufficient tracking and recording of usercharacteristics that are associated with how users move mouse cursors,it is possible to identify users in the future based on pastobservations.

The length of the users' forearms and their muscle characteristics areonly two of many physiological features that relate to trackablecharacteristics suitable for user identification. Additional examples oftrackable characteristics include visual reaction times, internal jitternoises, muscle dexterity and control, and nervous and muscular systemsreaction times. Monitoring and analyzing such physiological features forthe purpose of user identification can be referred to as “motor controlbased transparent continuous authentication (TCA).”

Another procedure for user identification may be referred to as “motorcontrol based interactive transparent continuous authentication.” Thisprocedure uses an algorithm to interfere with the visual display thatthe user sees to cause an aberration to appear in the output. Theaberration can be subtle enough so that the user does not sense anymechanism attempting to confirm his/her identity. For example, if theuser moves the mouse from point A′ to point B′ on the mouse pad, theprocedure will prevent the cursor from moving exactly to point B on thedisplay. Perhaps instead the cursor will be a little higher or to theright of point B. The user probably does not know that the interferencewas added by the interactive TCA algorithm during the user session.Instead, the user probably just thinks that he did not move the mouse tothe appropriate position to cause the cursor to appear where heintended.

Aberrations may fall into one of two categories: continuous and local. Acontinuous aberration is not consciously sensed by the user. Over time,the user becomes accustomed to the conditions of the aberration, andhis/her body adapts accordingly. Force field and distortion effects oncursors are examples of such conditions. Users do sense localaberrations, but they do not realize that the aberrations are causedjust for the purpose of distorting output, as the types of aberrationsresemble typical web experiences, such as that of a mouse cursordisappearing. With either continuous or local aberrations, a user'sadaptation thereto is indicative of identity.

In all likelihood, the user will compensate for the aberration inoutput, and the specific compensating motions are the user's“characteristic response” that can be used for user identification. Forexample, one user may not compensate for the motion until he has movedthe mouse to point B′ and then noticed that the cursor was not displayedat point B. Then, he will move the mouse appropriately in a new attemptto bring the cursor to point B. Another user my notice the aberrationsignificantly before the curser gets far for point A, and then she willstart her compensation earlier. Of course, by initially tracking agreater number of responses to aberrations, the results later for useridentification can become more significant. Also, by causing outputaberrations under the motor control interactive TCA procedure, insteadof merely collecting responses to unplanned conditions using the motorcontrol based TCA, more controlled conditions are available for moresignificant and quicker user identification.

The present invention may be embodied as a method of confirming theidentity of an end-user operating a computer. A server interfacing witha computer via a local area network (LAN) or the Internet may beprogrammed to perform this method. Alternatively, the method may beperformed on the same computer for which its user's identity is beingconfirmed. The user may be operating the computer in a home or officesetting. The user may instead be in a more public area, such as a bank,and using a computer commonly used by many other users in the same day.

The method begins by causing an aberration in output that the computerprovides to an output device. (Step S1.) The output device may be adisplay for human use, such as the display. The aberration may be causedby a software module, such as JavaScript or flash, in the computer's webbrowser acting according to instructions from an external server orwithin the computer.

It is recognized that a bot attempting to operate the computer will notneed the same type of output device, for example, a visual display thata human would use. Nonetheless, the bot and its associated computersystem implement an analogous type of output device to appear as a user(to “emulate” the user) to the server or other mechanism that isexecuting the present process of determining whether to confirm theuser's identity. Instead of a standard “human” display, the bot may useinstead an “emulated display” to receive output in way that attempts toappear as a human display.

As discussed earlier, the aberration of step S1 may be a divertedmovement of a cursor on a display. If a bot associated with an emulateddisplay is operating the computer, then the aberration may analogouslybe a diverted movement on an emulated display. The cursor movement maybe diverted by changing the ratio of the angle and/or magnitude ofcursor movement that the cursor movement device (or an emulated cursormovement device) specifies to the angle and/or magnitude of the movementof the cursor on the display (or on the emulated display). Types ofcursor movement devices include a mouse, a trackball, a touch pad, anatural user interface (NUI) controlled for example by voice or bodymovement, and the like.

In certain instances, cursor movement may be controlled by a user usinga device having a touch-screen display. The user's specific compensatingmotions upon the touch-screen are then measured to determine the user's“characteristic response” for user identification. In use of the methodof the invention with a touch-screen display, the “cursor movementdevice” is defined as the touch-screen and its associated software forcontrolling cursor movement.

An emulated cursor movement device is simply the mechanism that a botmay use to communicate to the server or other mechanism executing thepresent method as if a genuine cursor movement device were being used.That is, the emulated cursor movement device sends signals to appear asif a human is operating the computer.

Other types of aberrations are within the scope of step S1. For example,the aberration can be the disappearance from the display of the cursorthat is moved according to signals from of the cursor movement device(as opposed to a keyboard cursor, that is, the cursor that moves inresponse to characters entered via a keyboard). If the computer is beingoperated by a bot, then the disappearance would be that of the emulatedcursor that moves according to signals from an emulated cursor movementdevice.

Another kind of aberration to use when the output device is a display(or an emulated display) is the disappearance of the keyboard cursorfrom the display (or the disappearance of a bot's emulated keyboardcursor from an emulated display). Some users might respond by pressingtheir keyboards' cursor movement keys. Other might respond bypositioning their mouse cursor where they want the keyboard cursor toappear. The specifics of different responses can be used later for useridentification, as discussed in more detail below.

An additional kind of aberration is the display of a character thatdiffers from a character that a user specified using his/her keyboard(or that a bot specified using an emulated keyboard). Some users mayrespond quickly by pressing their keyboard's backspace key. Others maynot notice the mistake immediately, especially if they do not typicallyview the display when typing characters. (They may focus their attentioninstead on documents.) When they do notice the mistakes, some may deleteunwanted characters using the “backspace” key while others respond usingthe “delete” key. Also, programming common misspellings as aberrationsdifferentiates users by how well they notice the misspellings.

Other types of aberrations become available when another peripheral isused the output device for this method. For example, if the outputdevice is an audio speaker, an aberration could be an increase involume, either by a small or a large amount (with the intention ofseeing whether the user reduces the volume quickly, slowly, or not atall, or whether the user turns the sound off completely).

The preceding discussion of aberrations caused in step S1 is by no meansan exhaustive list. Many other types of aberrations are suitable. Thegoal is to cause the user to respond in such a way to provideinformation useful for identifying him/her, as discussed in thefollowing.

After the step S1 of causing the aberration, the next step is receivinga response to the aberration. (Step S2.) For example, if the aberrationof step S1 was the disappearance or diverted movement of a cursor fromthe computer's display (or the disappearance or diverted movement of anemulated cursor from an emulated display), the response received in stepS2 may be that relating to the cursor movement device (or the emulatedcursor movement device) associated with the computer. As one example ofthe performance of Step S2, if a server is configured to perform thepresent method, step S2 may be performed by the server receiving theresponse from the computer operated by the end-user whose identity is tobe confirmed. Such may be effected by client-side software, such asJavaScript or flash, installed on the computer's browser to collect rawdata relating to the user response and to forward it to the server. Thesystem may be such that the server receives the response from thecomputer through a LAN or the Internet. The server may instead have adirect connection to the computer, such as by a USB cable or wirelessconnection. (This latter system can be considered a network of twocomputers.) Alternatively, this method can be performed on an end-user'scomputer, so there is no separate server or network. Computer softwaremay be implemented to collect raw data, as in the server example, butthe data are transferred internal to the computer for receipt.

After the step S2 of receiving the response to the aberration, the nextstep is extracting from the response an end-user characteristic. (StepS3.) One way to extract the end-user characteristics is to analyze theraw data collected from in the client side as discussed above,extracting movement features and building a model for each useraccordingly. Cross-movement features could also be extracted to enhancemodel accuracy. Moreover, movement could be characterized by a tag whichindicates its type (for example, left/right movement). This taggingcould both effected as part of the user model and also in order tocreate sub-models per tag type. A user's model may be based onsupervised learning techniques, which treat other user data as a sampleof possible adversaries and thus infer what are the features which aremost relevant to detect the current user out of the entire population ofusers. Alternatively or additionally, a statistical model could be builtfor each user independently of models for other users. One examplealgorithm for this is a support vector machine (SVM), which analyzesdata and recognizes patterns, and there are other such methods in thefield of classification and machine learning.

After the step S3 of building an end-user model from the user's (bot's)response, the next step is to find a similarity of the end-user'sresponse to a stored response. (Step S4.) Accordingly, there is acomparison of the extracted end-user characteristic with the storedresponses of that user and with responses of other stored user modelsthat are potential intruders. In each session, the user gets a scorevalue that indicates how much the characteristics are similar to thosein the model built in a previous learning process. This score can beaccompanied by a certainty level that is based on a self assessment ofthe model to determine its accuracy. The score and accuracy couldpossibly be a combined value of both. Moreover, scores from differenttimes or of different types could be integrated to improveclassification performance.

A similarity of the end-user's response to a stored response isindicative of the identity of the computer user. In someimplementations, though, it may be difficult to obtain enoughidentifying information from the only one response to an aberration, andrepeating the above process can increase accuracy and accelerate theuser identification process. Accordingly, it can be desirable to repeatthe causing of an aberration (step S1), the receiving of the response(step S2), the extracting of an end-user characteristic (step S3), andthe comparing of the end-user characteristic response with storedcharacteristic responses (step S4). Accordingly, it is queried whetherto run the test cycle again (step S5), and if another cycle is to beperformed the process flow returns to step S1. For example, it may bedesired to repeat the test cycle every time a repeated predeterminedtime period ends. If the test cycle is not to be run again, the processends at this point.

A user's response and his extracted end-user characteristics to anaberration, may be plotted by the software of the invention, todetermine the user's learning curve over time. During any specificsession, several aberrations may appear, and a single human user willcorrect more rapidly to the aberration as the session progresses (whilea bot will not). Additionally, the learning curve of a human user willbe more rapid over several sessions than that of either an intruder,unfamiliar with the aberration, or of a bot. The learning curve of theidentified (authentic) user will have additional measurable parametersuseful for extracting end-user characteristics that may be utilized foridentification of the user. Examples of additional measurable parametersof a user's learning curve include: the time a user takes to identify anaberration and the time he takes to correct for it; the continuity ofthe correction for the aberration; mistakes in correcting for theaberration; noises in correcting the aberration; parameters that definethe level of control the user has over the output device (in spite ofthe aberration) such as parameters of the efficiency of cursor movementin respect to the desired user response.

Embodiments of the present inventors address the situation in which abot, programmed to emulate an end-user, may fail to “notice” anaberration in output provided to an output device. For example, if thebot is programmed to enter “john.smith” in a user name field, and thedisplay (or emulated display) shows “joh.ith,” the bot may have nofunctionality to check whether “john.smith” indeed appeared as expected.The bot would simply proceed as programmed, such as, by entering apassword in a password field. A human user, whether an authorized useror another human acting as if he were an authorized user, would likelyrespond to the display of “joh.ith” by adding the missing letters “n,”“s,” and “m” where appropriate.

That is, a human user would most likely respond to an aberration inoutput differently than if the output did not have the aberration. Incontrast, a bot of lesser sophistication might not respond differentlyat all to the aberration. Thus, the lack of different response to theoutput with the aberration from the response to the output that did nothave the aberration is an indication that the end-user is likely a bot.Thus, the present invention may be embodied as a method of confirmingthe identity of an end-user operating a computer, the method beingparticularly suitable for determining whether the end-user is a bot.

Another method begins by causing an aberration in output that thecomputer provides to an output device. (Step S1.) Such step may beexecuted analogously to how step S1 of the previous embodiment isexecuted. After the step S1 of causing the aberration, the next step isdetermining whether the end-user responds differently to the output thanif the output did not have the aberration. (Step S2.) With reference tothe example above, if a server or other mechanism were executing thepresent method, client-side software, such as JavaScript or flash, maybe implemented in the computer's browser to collect any cursor movementsand keystrokes of a user's response. For example, server could cause thedisplay of “joh.ith” in a user name field after the human user or botentered “john. smith” and then determine whether the user (or bot)attempts to add the missing “n,” “s,” and “m.” It is assumed in thisexample that a human user would attempt to add the missing letters.

It is then queried whether the result of the step S2 determination isthat the end-user, whether human or a bot, responded differently to theoutput with the aberration than if the output did not have theaberration. (Step S3.) If the result is affirmative, it is interpretedthat the end-user is not a bot. (Step S4.) If instead the result isnegative, it is interpreted that the end-user is a bot. (Step S5.) Theprocess then ends.

The preceding discussions explain how the invention may be implementedto detect a bot or an unauthorized human trying to gain access toprotected information as if the bot or unauthorized human were theauthorized user. However, the invention can also be embodied to detectwhether a single human user is acting as multiple users, for example, byhaving multiple user accounts. A single human user has limited controlof his/her characteristic responses, so embodiments of the invention maybe used to detect a single user associate with multiple user accountsunder the guise of multiple users.

The invention may also be implemented as a device for confirming theidentity of an end-user operating a computer. The device may be aserver, such as part of a system, or a “stand alone” computer, such asthe personal computer. Alternatively, the device may be another type ofcomputing device, such as a smart phone or a tablet, as non-limitingexamples. In both the implementations, the device has a processor and amemory. The processor may be an Intel Pentium Processor E5400, an IntelXeon 5130 CPU, or any other equivalent means for processing (executing)instructions held in the memory. The memory may be a SATA hard drive, aflash memory, SSD, or any other equivalent means for storinginstructions that when executed by the processor cause the processor tofunction as described herein. The memory may also be an external USBflash drive. In some configurations, the end-user interfaces directlywith the device of the present embodiment, the personal computer. Insome systems, the end-user uses a personal computer to interface withthe device, the server, through a network. The network may be a LAN orthe Internet or other suitable wired or wireless network.

The personal computer has operationally connected thereto a display, akeyboard, and a mouse on a mouse pad. In alternate embodiments, adifferent cursor movement device may be used instead in place of themouse. An end-user may to access the server so its processor data wouldprocess data or to view records stored in the memory. For example, theserver may be administered by a bank, and the end-user may want to usethe processor to effect a funds transfer. Alternatively, the end-usermay want to view bank records stored in the memory. In any case, thebank is able to confirm the identity of an end-user that is operatingthe personal computer. The following explains how the server confirmsthe identity. The personal computer functions analogously to the server.

The memory holds instructions that the processor executes, which resultsin the processor causing an aberration in output that the personalcomputer provides to the display. (In alternate embodiments, a differentoutput device, such as an audio speaker, as discussed above, may be usedin place of the display.) Examples of aberrations are as discussedabove, such as, the disappearance from or a diverted movement on thedisplay of the cursor that the end-user controls using the mouse, thedisappearance of the cursor that the end-user controls using thekeyboard, and the display of a character that differs from the characterthat the end-user specified using the keyboard.

When the end-user experiences the aberration, he/she is likely to reactaccordingly. Such as, if the cursor did not appear on the display whereanticipated, he/she would move the mouse is a fashion to move the cursorto the desired position. The end-user's reaction is detected, forexample, by client-side software, such as in a JavaScript or flashmodule of a web browser loaded on the personal computer, and thesoftware module or equivalent detection means sends a response basedthereon to the server, where it is received. (In some embodiments, asoftware module of JavaScript, Flash, or equivalent detection means onthe personal computer transfers a response internal to the personalcomputer and is handled by the processor.)

After the server receives the response, it extracts an end-usercharacteristic. Then, the server compares this characteristic responsewith other characteristic responses, which have been stored, forexample, in the memory or in other storage, to find similarities thatare indicative of the identity of the end-user. (In some embodiments, adatabase of characteristic responses may reside on the memory or inanother location that is accessible to the processor.)

If desired, the server and the personal computer can repeatedly causeoutput aberrations throughout a user session to obtain additionalidentifying information as opposed to the information from only oneresponse to an aberration. Repeatedly causing output aberrations canincrease accuracy of and accelerate the user identification procedure asdiscussed above.

A bot may be operationally connected to the network. Unauthorized usersmay attempt to gain access to the server by programming the bot toappear to the server as an authorized end-user operating a personalcomputer, such as the personal computer. The bot includes as functionalmodules an emulated display, an emulated mouse cursor, an emulatedcursor movement device (such as an emulated mouse), and an emulatedkeyboard, and an emulated cursor that moves according to keystrokes. Thepurpose of the emulation is to appear to the server as a human user whenthe server sends instructions, such as those intended for an outputdevice like a display, and when the server receives responses, such asthose based on user mouse movements and keystrokes. For implementationsin which the server expects responses from a JavaScript, Flash, or likesoftware module of a web browser, the reactions that the bot emulatesare received by the JavaScript module and forwarded to the server forprocessing.

The bot, although programmed to emulate a human end-user as much aspossible, may fail to even notice when the server provides an aberrationin output. As discussed above (see the example of a bot sending“john.smith” in a user name field and an aberration causing an output“joh.ith”), if the bot responds no differently to an aberration than ifthere were no aberration, suspicion is raised that a bot is attemptingto access the server.

Accordingly, the memory of the server may hold instructions that, whenexecuted by the processor, cause the server to cause an aberration inoutput that a computer, seemingly like the personal computer, providesto an output device, like the display. If the server determines thatthere was no different response to the output aberration, the server mayinterpret the lack of a different response (or, an in sufficient orpartial corrective response) as indicative that the end-user is a bot ornon-human. The server may be programmed to execute multiple tests suchas this as desired to confirm such suspicions.

Having thus described exemplary embodiments of the invention, it will beapparent that various alterations, modifications, and improvements willreadily occur to those skilled in the art. Alternations, modifications,and improvements of the disclosed invention, though not expresslydescribed above, are nonetheless intended and implied to be withinspirit and scope of the invention. For example, motor control TCA can beapplied without the aberrations caused in user output. Accordingly, theforegoing discussion is intended to be illustrative only; the inventionis limited and defined only by the following claims and equivalentsthereto.

Some embodiments comprise a system, method, and device of detectingidentity of a user of an electronic device. A method for confirmingidentity of a user of a mobile electronic device, the method including:receiving touch data from a touch-screen of the mobile electronicdevice; receiving acceleration data from an accelerometer of the mobileelectronic device; correlating between the touch data and theacceleration data; based on the correlating, generating a user-specifictrait indicative of said user. The method further includes storing areference value of the user-specific trait, indicative of said user; ina subsequent usage session of the mobile electronic device, generating acurrent value of the user-specific trait correlating between touch dataand acceleration data; and based on a comparison between the currentvalue of the user-specific trait and the reference value of theuser-specific trait, determining whether or not a current user of themobile electronic device is an authorized user of the mobile electronicdevice.

For example, a method for confirming identity of a user of an electronicdevice, may comprise: receiving touch data from a touch-screen of theelectronic device; receiving device orientation data from a gyroscope ofthe electronic device; determining a relation between (i) the touch datareceived from the touch-screen of the electronic device, and (ii) thedevice orientation data received from the gyroscope of the electronicdevice; based on said relation between (i) the touch data received fromthe touch-screen of the electronic device, and (ii) the deviceorientation data received from the gyroscope of the electronic device,generating a user-specific trait indicative of said user of saidelectronic device and reflecting relation between a manner in which saiduser is orienting the electronic device while also touching thetouch-screen of the electronic device; storing, either locally withinsaid electronic device or on a remote server, a reference value of saiduser-specific trait which reflects said relation between a manner inwhich said user is orienting the electronic device while also touchingthe touch-screen of the electronic device; in a subsequent usagesession, generating and storing a current value of the user-specifictrait indicating relation between touch data and device orientationdata; and based on a comparison process between (A) the current value ofthe user-specific trait that was generated, and (B) the reference valueof the user-specific trait that was previously generated, determiningwhether or not a current user of the electronic device is an authorizeduser of the electronic device.

In some embodiments, the step of receiving touch data comprises:receiving non-tactile touch data indicating a hovering user gesture inproximity to said touch-screen of said electronic device.

In some embodiments, the method comprises: determining a user-specificrelation among: (I) touch data received from the touch-screen of theelectronic device, and (II) device orientation data received from thegyroscope of the electronic device, and (III) acceleration data receivedfrom an accelerometer of said electronic device; based on said relationamong (I) the touch data and (II) the device orientation data and (III)the device acceleration data, generating said user-specific trait toreflect a distinct manner in which said user both accelerates andorients said electronic device while touching the touch-screen of saidelectronic device.

In some embodiments, the method comprises: based on the relation betweenthe touch data and the acceleration data, (A) determining that a firstphysiological region of said user moves when a particular gesture isperformed, and (B) determining that a second physiological region ofsaid user does not move when said particular gesture is performed; basedon said two determining operations, differentiating among multipleusers.

In some embodiments, the method comprises: determining an offset ofholding said electronic device in a hand of said user, wherein theoffset comprises an offset selected from the group consisting of: theelectronic device being held with a palm area of the hand, and theelectronic device being held with a fingers area of the hand; based onsaid offset of holding the electronic device in the hand,differentiating among multiple users.

In some embodiments, the method comprises: determining whether (A) thesame hand of the user is utilized for both holding the electronic deviceand tapping the touch-screen of the electronic device, or (B) a firsthand of the user is utilized for holding the electronic device and asecond hand of the user is utilized for tapping the touch-screen of theelectronic device; based on said determining, differentiating amongmultiple users.

In some embodiments, the method comprises: constructing a user-specificprofile based on said touch data and said acceleration data, wherein theconstructing is performed over a pre-defined time-period; dynamicallyshortening the pre-defined time period for constructing saiduser-specific profile if one or more identified traits of said user aredistinctive.

In some embodiments, the method comprises: constructing a user-specificprofile based on said touch data and said acceleration data, wherein theconstructing is performed within a constraint selected from the groupconsisting of: (A) a pre-defined time-period, and (B) a pre-definednumber of user interactions; dynamically modifying said constraint forconstructing said user-specific profile, based on distinctiveness of oneor more traits of said user; storing a flag indicating whether saiduser-specific profile is either (i) under construction, or (ii) fullyconstructed.

In some embodiments, the method comprises: constructing a user-specificprofile which indicates that for a user-gesture that is performed at aparticular geometric place of the touch-screen of said electronicdevice, a first body part of the user is moving while a second body partof the user is at rest; based on said user-specific profile,differentiating among multiple users.

In some embodiments, the method comprises: constructing a user-specificprofile which indicates that for a scrolling gesture that is performedon the touch-screen of said electronic device, a first hand-region ofthe user is moving while a second hand-region of the user is at rest;based on said user-specific profile, differentiating among multipleusers. In some embodiments, the method comprises: analyzing touch-dataof a swipe gesture performed by the user on the touch-screen of saidelectronic device, to determine an estimated width of a finger of saiduser; constructing a user-specific profile which comprises saidestimated width of the finger of the user; based on said user-specificprofile, differentiating among multiple users.

In some embodiments, the method comprises: the method comprises:analyzing touch-data of a swipe gesture performed by the user on thetouch-screen of said electronic device, to determine an estimated widthof a finger of said user; constructing a user-specific profile whichcomprises said estimated width of the finger of the user; based on saiduser-specific profile, differentiating among multiple users. In someembodiments, the method comprises: analyzing touch-data of a circularswipe gesture performed by the user on the touch-screen of saidelectronic device, to determine an estimated distance between (A) a tipof a swiping finger of a hand of said user, and (B) a palm of said handof said user; constructing a user-specific profile which comprises saidestimated distance between the tip of the swiping finger and the palm ofthe hand; based on said user-specific profile, differentiating amongmultiple users.

In some embodiments, the method comprises: analyzing touch-data ofgenerally-straight swipe gestures performed by user on the touch-screenof said electronic device; determining that a first user typicallyrotates the electronic device clockwise while performinggenerally-straight swipe gestures; determining that a second usertypically rotates the electronic device counter-clockwise whileperforming generally-straight swipe gestures; based on saiddeterminations, differentiating among said first and second users.

In some embodiments, the method comprises: the method comprises:analyzing said touch data and said acceleration data of said electronicdevice, to determine a level of shakiness of the electronic device whilethe user operates said electronic device; analyzing said touch data andsaid acceleration data of said electronic device, to determine aneffect, of a performed user-gesture, on said level of shakiness of theelectronic device; constructing a user-specific profile which comprisesan indication of the effect of the performed user-gesture on the levelof shakiness of the electronic device; based on said user-specificprofile, differentiating among multiple users. In some embodiments, themethod comprises: sensing by said electronic device an amount ofpressure of a body part of the user while the user performs a gesture onsaid electronic device; determining a relation between the sensed amountof pressure and at least one of: said touch data of the electronicdevice, and said acceleration data of said electronic device; based onsaid relation, differentiating among multiple users.

In some embodiments, the method comprises: determining a currentlocation of the electronic device; determining a relation among: (A) thecurrent location of the electronic device, and (B) said touch data ofthe electronic device, and (C) said acceleration data of the electronicdevice; based on said relation, differentiating among multiple users.

In some embodiments, the method comprises: determining geographiclocation of the electronic device; determining a relation among: (A) thecurrent location of the electronic device, and (B) said touch data ofthe electronic device, and (C) said acceleration data of the electronicdevice; based on said relation, (a) determining that a first user,typically places the electronic device horizontally on a flat surfacewhen utilizing the electronic device in a first geographic location, and(b) determining that said first user, typically holds the electronicdevice slanted relative to the ground when utilizing the electronicdevice in a second geographic location; based on said determinations,differentiating among the first user and another user. In someembodiments, the method comprises: determining a currently-usedapplication of the electronic device, that the user is currentlyutilizing on said electronic device; determining a relation among: (A)the currently-used application of the electronic device, and (B) saidtouch data of the electronic device, and (C) said acceleration data ofsaid electronic device; based on said relation, differentiating amongmultiple users.

In some embodiments, the method comprises: determining a currently-usedapplication of the electronic device, that the user is currentlyutilizing on said electronic device; determining a relation among: (A)the currently-used application of the electronic device, and (B) saidtouch data of the electronic device, and (C) said acceleration data ofthe electronic device; based on said relation, (a) determining that afirst user typically holds the electronic device vertically whenutilizing a first particular application of the electronic device, and(b) determining that said first user typically holds the electronicdevice slanted relative to the ground when utilizing a second particularapplication of the electronic device; based on said determinations,differentiating among multiple users. In some embodiments, the methodcomprises: determining whether a current location of the electronicdevice is outdoors or indoors; determining a relation among: (A) thecurrent location of the electronic device being either outdoors orindoors, and (B) said touch data of the electronic device, and (C) saidacceleration data of said electronic device; based on said relation,differentiating among multiple users.

The present invention may include, for example, systems, devices, andmethods for detecting identity of a user of a mobile electronic device,and for determining that a mobile electronic device is used by afraudulent user. In accordance with the present invention, for example,a method for confirming identity of a user of a mobile electronic devicemay comprise: receiving touch data from a touch-screen of the mobileelectronic device; receiving acceleration data from an accelerometer ofthe mobile electronic device; correlating between the touch data and theacceleration data; based on the correlating, generating a user-specifictrait indicative of said user. In accordance with the present invention,for example, the method may comprise: storing a reference value of theuser-specific trait, indicative of said user; in a subsequent usagesession of the mobile electronic device, generating a current value ofthe user-specific trait correlating between touch data and accelerationdata; and based on a comparison between the current value of theuser-specific trait and the reference value of the user-specific trait,determining whether or not a current user of the mobile electronicdevice is an authorized user of the mobile electronic device. Inaccordance with the present invention, for example, storing comprises:storing within said mobile electronic device; and said comparison isperformed within said mobile electronic device. In accordance with thepresent invention, for example, storing comprises storing externally tosaid mobile electronic device; and said comparison is performedexternally to said mobile electronic device, and comprises wirelesslyreceiving at the mobile electronic device an indication of saidcomparison. In accordance with the present invention, for example, saidtouch data comprises non-tactile touch data indicating a hovering usergesture in proximity to said touch-screen. In accordance with thepresent invention, for example, the method may comprise: receivinggyroscope data from a gyroscope of the mobile electronic device;correlating between the touch data and the gyroscope data; based on thecorrelating between the touch data and the gyroscope data, generatinganother user-specific trait indicative of said user.

In accordance with the present invention, for example, the method maycomprise: capturing non-tactile motion data indicating a user gesture;correlating between the non-tactile motion data and the accelerationdata; based on the correlating between the non-tactile motion data andthe acceleration data, generating another user-specific trait indicativeof said user.

In accordance with the present invention, for example, the method maycomprise: comparing between (a) a currently-calculated value of theuser-specific trait, corresponding to a current usage of the mobileelectronic device, and (b) a previously-calculated value of theuser-specific trait, corresponding to a previous usage of the mobileelectronic device; and based on a comparison result, performing at leastone of: restricting access of said user to an online service;restricting access of said user to an application installed on saidmobile electronic device; requiring the user to authenticate hisidentity to an online service; requiring the user to authenticate hisidentity to an application installed on said mobile electronic device.

In accordance with the present invention, for example, the method maycomprise: based on said touch data, estimating user-specific motorcontrol parameters and user-specific motor control noise; and based onthe estimated user-specific motor control parameters and user-specificmotor control noise, differentiating between said user and another user.

In accordance with the present invention, for example, the method maycomprise: based on said touch data, estimating user-specific motorcontrol parameters and user-specific motor control noise of a controlloop which comprises translation error and gesture velocity error; andbased on the estimated user-specific motor control parameters anduser-specific motor control noise, differentiating between said user andanother user. In accordance with the present invention, for example, themethod may comprise: based on said correlating, estimating auser-specific physiological trait of said user; and based on theuser-specific physiological trait, differentiating between said user andanother user. In accordance with the present invention, for example,estimating the user-specific physiological trait of said user comprisesat least one of: estimating a length of a finger of the user; estimatinga width of a finger of the user; estimating a size-related parameter ofa finger of the user; estimating a distance between a tip of a finger ofthe user and another part of a hand of the user. In accordance with thepresent invention, for example, the method may comprise: based on saidcorrelating, estimating a user-specific behavioral trait of said user;and based on the user-specific behavioral trait, differentiating betweensaid user and another user. In accordance with the present invention,for example, estimating the user-specific behavioral trait of said usercomprises: determining that said user typically performs a particularinadvertent gesture while performing a user-intended input-providinggesture.

In accordance with the present invention, for example, estimating theuser-specific behavioral trait of said user comprises one or more of:determining that said user typically moves the mobile electronic deviceat a particular direction while performing a touch gesture; determiningthat said user typically rotates the mobile electronic device whileperforming a touch gesture; determining that said user typically slantsthe mobile electronic device at a particular angle while performing atouch gesture. In accordance with the present invention, for example,estimating the user-specific behavioral trait of said user comprises:determining that said user typically holds the mobile electronic devicewith a first hand of the user and concurrently performs aninput-providing gesture with a second hand of the user. In accordancewith the present invention, for example, estimating the user-specificbehavioral trait of said user comprises: determining that said usertypically holds the mobile electronic device with a single hand andconcurrently performs an input-providing gesture with said single hand.In accordance with the present invention, for example, the method maycomprise: based on said correlating, estimating a first user-specificbehavioral trait of said user which corresponds to a first usagescenario; based on said correlating, estimating a second user-specificbehavioral trait of said user which corresponds to a second usagescenario; based on the first and second user-specific behavioral traits,differentiating between said user and another user. In accordance withthe present invention, for example, the method may comprise: based onsaid correlating, estimating a first user-specific behavioral trait ofsaid user which corresponds to a first usage scenario in which said useroperates said mobile electronic device while the user holds said mobileelectronic device; based on said correlating, estimating a seconduser-specific behavioral trait of said user which corresponds to asecond usage scenario in which said user operates said mobile electronicdevice while the user does not hold said mobile electronic device; basedon the first and second user-specific behavioral traits, differentiatingbetween said user and another user. In accordance with the presentinvention, for example, a mobile electronic device may be configured toconfirm identity of a user of said mobile electronic device; the mobileelectronic device comprising: a touch-screen to receive touch data; anaccelerometer to receive acceleration data; a correlator module tocorrelate between the touch data and the acceleration data; a traitextractor module to generate a user-specific trait indicative of saiduser, based on correlation between the touch data and the accelerationdata.

Applicants have realized that each user of a mobile electronic devicemay handle the device in a unique manner which may be detected and maybe utilized for confirming the identity of the user, or for othersecurity-related purposes or fraud-detection purposes. Applicants haverealized, for example, that different users cause different type ofacceleration to the mobile device when they perform the same operationor touch-gesture (e.g., swiping or tapping or scrolling on thetouch-screen), or may tilt or rotate or slant the mobile device indifferent, unique ways when they perform such gestures or operations.

The present invention may include, for example, biometric modalities,personal trait extraction modalities, and/or identity authenticationmodalities which may be used in conjunction with a mobile or portableelectronic device, and may utilize a combination of (or correlationbetween) acceleration parameters and/or touch data. Such parameters maybe used in order to deduce unique insights regarding the identity orpossible identity of the user of the mobile electronic device, or inorder to determine whether or not the user is considered to be the“genuine” user, or in contrast, an attacker or impersonator or“fraudster”.

The present invention may capture, monitor, or otherwise utilize fordeduction of insights, the coupling or correlation between (a)touch-screen interaction, or other user gestures, and (b)accelerometer(s) measurements and/or gyroscope(s) measurements. Thepresent invention may further deduce and/or utilize one or more otherbiometric traits or identity-authentication traits, for example, touchor swipe locations, pressure dynamics, identification of physiologicalregions (e.g., in the hand of the user) that move while other regions donot move when a user gesture is performed, or other suitable traits inorder to assist in identification and/or authentication of the user ofthe mobile device. The present invention may sufficiently capture uniquequalities of a human user to be usable as a biometric forauthentication. Different people may have different preferredorientations for holding or grasping (e.g., in their hand) a mobiledevice, and/or a different way in which they press or touch or tap thetouch-screen (e.g., the applied force, the duration of the tapping, orthe like).

Applicants have realized that physical traits such as, for example, handsize, hand mass, or other traits, may change the way in which a user'sinteracting hand and his device-holding hand are correlated. In ademonstrative example, the present invention may distinguish ordifferentiate between (a) a person who is using one single hand for bothholding the mobile device and tapping on its touch-screen (or performingother touch gesture), and (b) a person who is using one hand to hold themobile device and another hand to tap on its touch-screen (or to performother touch gesture or user gesture). Moreover, as Applicants haverealized, different tap locations (e.g., top-left corner or region ofthe touch-screen, versus bottom-right corner or region) may createdifferent torque(s) on the mobile device, further depending on the tapstrength, the offset of the mobile device in the hand (e.g., the devicebeing held high or low, with the palm area or the fingers area, or thelike) and/or the size of the hand (e.g., if the same hand is used forboth holding the device and tapping on its touch-screen).

The terms “mobile device” or “mobile electronic device” as used hereinmay include, for example, a smartphone, a cellular phone, a mobilephone, a tablet, a handheld device, a portable electronic device, aportable gaming device, a portable audio/video player, a smart-watch, adigital watch, a digital wrist-watch, an Augmented Reality (AR) orVirtual Reality (VR) device or glasses or helmet or headset (e.g.,similar to Google Glass, or similar to Oculus Rift), a fitness band orfitness watch, a laptop computer, a tablet computer, a notebookcomputer, a netbook computer, an electronic device which comprises atleast an accelerometer and a touch-screen, or the like.

The term “genuine user” as used herein may include, for example, anowner of a mobile electronic device; a legal or lawful user of a mobileelectronic device; an authorized user of a mobile electronic device; aperson who has legal authorization and/or legal right to utilize amobile electronic device, for general purpose(s) and/or for one or moreparticular purpose(s); or the person who had originally defined usercredentials (e.g., username and password) for performing an activitythrough the mobile electronic device.

The term “fraudulent user” as used herein may include, for example, anyperson who is not the “genuine user” of the mobile electronic device; anattacker; an intruder; a man-in-the-middle attacker; aman-in-the-browser attacker; an unauthorized user; an impersonator; ahacker; a cracker; a person attempting to hack or crack or compromise asecurity measure utilized by the mobile electronic device or utilized byan activity or service accessible through the mobile electronic device;a fraudster; a human fraudster; a “bot” or a malware or an automatedcomputerized process (e.g., implemented by using software modules and/orhardware components) which attempts to imitate human behavior or whichattempts to act as if such “bot” or malware or process was the genuineuser; or the like.

The term “user gesture” as used herein may include, for example, agesture or movement or other operation that a user of a mobile deviceperforms on a touch-screen of the mobile device, or performs inproximity to the touch-screen of the mobile device; touch gesture; tapgesture or double-tap gesture or prolonged tap gesture; scroll gesture;drag gesture, or drag-and-drop gesture; release gesture; click ordouble-click gesture; hovering gestures, in which the user may hoverwith his finger(s) or hand(s) in proximity to the touch-screen of themobile device but without necessarily touching the touch-screen device;hovering gestures that may be captured by a camera of the mobile device,or by a touch-screen of the mobile device (e.g., by taking into accountelectrical and/or magnetic effects of such gestures); hovering gestureswhich may be generally similar to touch-free hovering gestures that aSamsung Galaxy S4 smartphone is able to detect; finger(s) gesturesand/or hand(s) gestures made in a three-dimensional space, for example,similar to movement gestures that a Microsoft Kinect motion sensinginput device is able to sense; and/or a combination of such gestures orother gestures.

In some embodiments, a mobile device may comprise, for example, aprocessor, a memory unit, a storage unit, a wireless transceiver, atouch-screen, one or more accelerometers, and one or more gyroscopes.The mobile device may further comprise, for example, one or morehovering sensors, one or more motion gesture sensor(s), a correlator, atrait extractor, a trait repository, a profile constructor module, anidentity authenticator module, and a physiological trait estimator.Mobile device may comprise other suitable hardware components and/orsoftware modules, for example, a power source (e.g., a rechargeablebattery), an Operating System, software applications, or the like.

Touch-screen may receive user gestures, for example, tapping,double-tapping, dragging, pressing, holding down, releasing, scrolling,pinching fingers for zoom-out, spreading fingers for zoom-in, or thelike). Touch data may be stored in a touch data repository, optionallyin association with a time-stamp associated with each touch data-itembeing stored.

Accelerometer(s) may comprise, for example, a three-axis accelerometerable to measure acceleration, separately, along three axes (X axis, Yaxis, Z axis). Accelerometer readings may be stored in an accelerationdata repository, optionally in association with a time-stamp associatedwith each acceleration data-item being stored.

Gyroscope(s) may comprise, for example, a three-axis gyroscope able tomeasure orientation and/or rotation, e.g., separately along three axes(X axis, Y axis, Z axis). The measured data may be stored in a gyroscopedata repository, optionally in association with a time-stamp associatedwith each orientation/rotation data-item being stored.

Hovering sensor(s) may comprise, for example, one or more sensors (e.g.,optical sensors, magnetic sensors, electric sensors, touch-screencomponents, camera components, or the like) able to sense hoveringgesture(s) of the user of the device, for example, in athree-dimensional space or separately along three axes (X axis, Y axis,Z axis). The measured data may be stored in a hovering data repository,optionally in association with a time-stamp associated with eachhovering data-item being stored.

Motion gesture sensor(s) may comprise, for example, one or more sensorsable to sense motion gesture(s) of the user of the device, for example,in a three-dimensional space or separately along three axes (X axis, Yaxis, Z axis). The measured data may be stored in a motion gesture datarepository, optionally in association with a time-stamp associated witheach motion gesture data-item being stored.

Correlator may search for, or identify or determine, correlation among(a) acceleration data and/or gyroscope data, and (b) touch data and/orhovering data and/or motion gesture data. Trait extractor may determineone or more user-specific traits or characteristics which may be, or mayappear to be, unique to (or indicative of) a particular user, based onone or more correlation(s) identified by correlator. Trait values ortrait indicators, or data indicative of extracted user-specific traits,may be stored in a trait repository.

Profile constructor module may utilize a learning algorithm to constructa user profile based on the one or more user-specific traits identifiedby trait extractor and stored in trait repository. Profile constructionmay be performed over a per-defined time period (e.g., five hours, orthree days) of the user interacting with the device; or over apre-defined number of interactions (e.g., 12 or 25 or 100 interactions)of the user with the device. Optionally, profile constructor module maydynamically extend or shorten or modify the required time-period orinteraction number, for example, if traits of a particular user aredistinctive and are rapidly extracted over a shorter period of time orover a smaller number of user interactions. Constructed user profilesmay be stored in a user profile repository, which may be internal to thedevice or may be external thereto (e.g., in a remote server or in a“cloud computing” server), optionally with an associated flag orparameter indicating whether a particular user profile is fullyconstructed or under construction.

Identity authenticator module may capture one or more traits of a userwho is currently utilizing device, and may analyze and determine whetheror not these traits are similar to, or different from, user-specifictraits in a user profile associated with a user that is believed to be a“genuine” user of the device. The analysis results may be notified byidentity authenticator module to other units or modules, within thedevice (e.g., an application or process running in the device) and/orexternally to the device (e.g., on a remote server, on a remote web-siteor web-page, in a “cloud” server or device).

For example, if the analysis indicates that the current user of thedevice is not the genuine user, then, one or more fraud-stoppingoperations or additional authentication operations may be triggered andperformed, for example, requiring the user to re-enter his password orpass-phrase or Personal Identification Number (PIN), requiring the userto answer one or more security questions, requiring the user to performlog-in operations or to provide account details (e.g., to providedate-of-birth data), requiring the user to place a phone call to a frauddepartment or a security department of a service or entity associatedwith an application running on the device; blocking or restricting orcurtailing access of the user to one or more services or features whichmay be generally available through the device; or the like.

Correlator may identify user-specific physiological correlations. Forexample, correlator may identify one or more geometric place(s), ontouch-screen or in a space proximate to touch-screen, in which a usergesture is associated with movement of a user body part (e.g., thethumb; one or more fingers; the palm or wrist) while also beingassociated with rest or non-movement of other body parts of the user.Based on the user-specific physiological correlations, trait extractormay extract user-specific physiological trait(s).

In a demonstrative example, trait extractor may determine that for theuser Adam, a vertical scroll-down touch-gesture is typically associatedwith movement of the root of the thumb, while the other fingers are atrest and while the wrist or palm-base are at rest; whereas, for the userBob, a vertical scroll-down touch-gesture is typically associated withboth movement of the root of the thumb, as well as with slightrotational movement of fingers that hold or support the rear of themobile device, and while the wrist or palm-base are at rest. This may besubsequently used for user authentication or for identity confirmation,to distinguish between a “genuine” user (e.g., Adam) and a fraudulentuser or non-genuine user (e.g., Bob) when the user of the deviceperforms a similar user gesture.

In another demonstrative embodiment, correlator may determine that theuser of the device (e.g., the “genuine” user), while performing aprimary gesture or an intended gesture (e.g., required in order toprovide user input to the device), typically also performs a secondarygesture an inadvertent gesture (e.g., not required in order to provideuser input to the device). For example, the primary gesture may be ascrolling gesture, a zoom-in or zoom-out gesture, a dragging gesture, atapping gesture, or other user input gesture; whereas, the secondarygesture (e.g., the inadvertent or unintended gesture, to which the usermay not even be aware) may be, for example, slight or significantrotating or spinning of the device, slight or significant movement ofthe device (e.g., in a particular direction), slight or significanttilting or slanting of the device (e.g., at a particular angle orrange-of-angles), or the like.

In another demonstrative embodiment, correlator may be associated with,or may operate in conjunction with, physiological trait estimator whichmay be able to indirectly estimate one or more physiological traits orphysiological characteristics of the user of the device, andparticularly, of the hand(s) or finger(s) (e.g., a finger, a thumb, orthe like) of that user. For example, physiological trait estimator mayestimate a width of a finger or thumb based on a width of a swipingtrace performed by the finger on touch-screen; may estimate a length ofa finger or thumb based on a radius of a circular or arched or curvedswiping motion on touch-screen; may estimate the distance between thetip of a finger or thumb and the palm of the hand, or the wrist; mayestimate other dimensions of hand-parts, or relations between such handparts; or the like. Physiological trait estimator may thus estimatephysiological characteristics which may be unique to a particular user,and may assist in confirming user identity and/or in detecting anon-genuine user impersonating the genuine user.

Additionally or alternatively, correlator may be associated with, or mayoperate in conjunction with, a motor control estimator which mayestimate user-specific motor control parameters based on the user'sinteraction with the mobile device. Such parameters may include, forexample, parameters of the action-perception loop modeling the hand-eyecoordination, as well as control loop parameter, motor noise, perceptionnoise, or the like. Motor control estimator may estimate user-specificparameters of motor control, which may be more inherent to the user andmay be less action-dependent.

In a demonstrative implementation, for example, motor control estimatormay track a user gesture on the touch-screen (e.g., a scroll or swipegesture). The movement or gesture may begin at rest in a start-point(X0, Y0) and may end at rest in an end-point (X1, Y1). A demonstrativecontrol loop of the second order, for example, may assume that the forceof the hand is governed by a linear combination of two error terms: atranslation error, and the current velocity error. Examples of suchdeterminations of a motor control loop, and its parameters, which areuser specific, are described above.

Accordingly, motor control estimator may estimate or may simulatetrajectories which may be similar to human trajectories; and although avelocity curve may be different for each movement of the same movement,the velocity curve may be generated by the same model parameters of thatspecific user. Motor control estimator may thus estimate these threeparameters (for the X-axis, and/or for the Y-axis), thereby estimatinguser-specific motor control traits which may be used for differentiatingbetween a genuine user and an impersonator or attacker, regardless ofthe specific movement(s) or gesture(s) performed. The above is only ademonstrative example, and motor control estimator may utilize othermotor control estimations, forward model(s), feedback model(s),estimation of similar peak velocity (or other movement properties) fordifferent movements (e.g., if the error terms are distorted by anon-linear function).

Additionally or alternatively, correlator may identify user-specificbehavioral correlations. For example, correlator may identify that whena particular user performs a particular user-gesture, performance of thegesture affects in a particular way the acceleration data and/or theorientation/rotation data of the device. Based on the user-specificbehavioral correlations, trait extractor may extract user-specificbehavioral trait(s).

In a demonstrative example, trait extractor may determine that for theuser Adam, a horizontal swipe gesture is typically associated with acounter-clockwise rotation in the range of 10 to 15 degrees around avertical axis (e.g., a rotation axis parallel to the longest dimensionof the device); whereas, for the user Bob, a horizontal swipe gesture istypically associated with a clockwise rotation in the range of 5 to 10degrees (or, with substantially no rotation at all) around that verticalaxis. This may be subsequently used for user authentication or foridentity confirmation, to distinguish between a “genuine” user (e.g.,Adam) and a fraudulent user or non-genuine user (e.g., Bob) when theuser of the device performs a similar user gesture.

Correlator may be configured to search for, and detect, otheruser-specific behavioral correlations, for example: correlations basedon the manner of holding device (e.g., a primary angle of holding), andthe effect of various user gestures on such holding or on the primaryangle of holding; correlations based on the stability or the shakinessof device (e.g., optionally taking into account the amount and/orfrequency and/or timing of hand vibrations or hand movements), and theeffect of various user gestures on such device stability or shakiness,or on stability or shakiness of the hand of the user that holds oroperates the device; correlations based on movement, spinning, rotationand/or acceleration of the device, along one axis or two axes or threeaxes, as a result of (or concurrently with) a user gesture such as, forexample, tap, double-tap, prolonged tap, release, drag, drag and drop,click, double-click, rotation or movement of an on-screen object,rotation of the device by 90 degrees or 180 degrees or 270 degrees,horizontal or vertical or diagonal swipe gesture, scroll gesture,zoom-in or zoom-out gestures, user operations on physical buttons orsliders or interface components of the device (e.g., volume interface,camera button, button for capturing an image or a video), or the like.

Correlator may further detect correlations based on movement, spinning,rotation and/or acceleration of the device, along one axis or two axesor three axes, that occur prior to or subsequent to a user gesture. Forexample, correlator may detect that a first particular user typicallytilts the phone from being generally perpendicular to the ground, tobeing generally parallel to the ground, immediately prior to performinga zoom-out gesture (e.g., a “pinching” gesture with two fingers ontouch-screen). Similarly, correlator may detect that a second particularuser typically rotates the phone counter-clockwise, immediatelysubsequent to performing a zoom-in gesture (e.g., spacing apart twofingers on touch-screen). In some implementations, for example, acorrelation may be detected while the user gesture is performed,immediately before the user gesture is performed (e.g., within 0.5seconds prior to the user gesture), and/or immediately after the usergesture is performed (e.g., within 0.5 seconds subsequent to the usergesture).

Optionally, correlator may detect other suitable correlations, and maytake into account other types of readings or sensed data, for example,data indicating a temperature or moisture level or sweat level which maybe associated with a user gesture, data indicating the amount ofpressure or force applied by a user (e.g., when pressing ontouch-screen), or the like.

In a demonstrative example, a first user may typically scroll down withhis finger on touch-screen while slightly rotating the mobile devicearound its longest axis; and a correlation may be identified between therespective touch data and acceleration/orientation data, indicative ofthe first user. In contrast, a second user may typically scroll downwhile maintaining the mobile device non-rotating, or while rotating themobile device at a different direction or angle, or at a differentacceleration value, thereby allowing to identify a differentcorrelation, indicative of the second user.

Optionally, the present invention may identify, create and utilize afirst set of behavioral traits which correspond to the behavior of aparticular user when he is utilizing his mobile device in a firstholding scenario (e.g., when the user is holding the mobile device inhis hand), and a second (different) set of behavioral traits whichcorrespond to the behavior of that particular user when he is utilizinghis mobile device in a second holding scenario (e.g., when the mobiledevice is placed on a table or flat surface and the user operates themobile device without holding it). Accordingly, the present inventionmay create and utilize a behavioral profile for that user, which maycomprise multiple sub-profiles of behavioral traits that correspond tosuch multiple usage scenarios by the same (e.g., “genuine”) user. In asubsequent usage of the mobile device, the system may compare thebehavioral traits of the subsequent user, to each one (e.g., separately)of the pre-stored sets of behavioral traits (or behavioralsub-profiles), in order to detect or determine whether that subsequentuser is the “genuine” user operating in one of the known usagescenarios, or alternatively a fraudulent user or attacker. Similarly,the present invention may generate and/or utilize complex profiles thatmay comprise of sub-profiles or sets of traits (e.g., behavioral traits,physiological traits, motor control traits), such that each set orsub-profile may correspond to a particular usage scenario or aparticular holding scenario of the user; and a subsequent usage may becompared, separately, to each one of those sub-profiles (or sets oftraits) in order to determine user authenticity.

The terms “correlation”, “correlator”, “to correlate”, and similar orequivalent terms which may be used herein, are used for demonstrativepurpose only; they may include, for example, statistical correlation, orstatistically-significant correlation, or any other type of relation orindication or matching between two parameters or between groups ofvalues. In some embodiments, there need not be statistically-significantcorrelation between, for example, touch data and acceleration data, inorder to identify or extract unique user trait(s); but rather, there maybe other type of relation or matching between touch-data andacceleration data in order to determine such “correlation”.

In accordance with the present invention, the mobile device maycontinuously track and/or monitor the correlation between touch-data andacceleration/orientation data. Correlation values may be used todetermine user-specific traits, that are indicative of the user of themobile device, which may be regarded initially as the “genuine” user.Then, during subsequent usage of the mobile device, correlation betweentouch-data and acceleration/orientation data may be tracked andidentified, and may be compared to the correlation previously-determinedfor the genuine user, in order to confirm that a current user is indeedthe genuine user, or in order to determine or to estimate that a currentuser is a non-genuine user.

In a demonstrative implementation, an application or a website may beaccessible through the device through an access control process or auser authentication process. Such application or website may be, forexample, an email account, a social network account, a video conferenceapplication, a chat application, an online banking application orwebsite, a securities trading application or website, an electroniccommerce account or website, or the like. The user may be prompted tocreate a new user account (e.g., define a username and password); andthen, or in parallel, user-specific traits may be captured throughpassive means and/or active means, which may be known to the user or maybe hidden from the user.

For example, a profile creation page or application may require the userto perform various touch operations (e.g., tapping, scrolling, dragging,or the like), and may capture touch data as well asacceleration/orientation data, which may then be correlated in order toidentify a biometric trait indicative of the user who is currentlycreating the profile, or who is otherwise believed to be a genuine user(e.g., based on password entry and/or responses to security questions orother challenge-response mechanisms). Optionally, an active challengemay be posed to the user, for example, by explicitly asking the user toperform one or more particular touch gestures on touch-screen, either as“hidden” challenges (in which the user is not aware that he is activelychallenged for security purposes) or as non-hidden challenges (in whichthe user is advised that, as a security measure, he is required toperform certain touch gestures in order to extract biometric traits).

A method may be implemented by a mobile electronic device, by one ormore hardware components and/or software modules of a mobile electronicdevice, by a system, or the like. The method may include, for example,capturing at least one of touch data, hovering data, motion data,gesture data (block 510). The method may include, for example, capturingat least one of acceleration data, gyroscope data, deviceorientation/rotation data, principal axes rotation data (e.g., normalaxis or yaw, lateral axis or pitch, longitudinal axis or roll) (block520). The operations of block 520 may be performed simultaneously orconcurrently with, or in parallel to, the operations of block 510. Themethod may include, for example, correlating or matching (block 530)between the data captured in block 510 and the data captured in block520. The method may include, for example, extracting a user-specifictrait (block 540) based on the correlating or matching of block 530. Theuser-specific trait may include, for example, one or more behavioraltraits, physiological traits, motor control traits, or otheruser-specific characteristics. The method may include, for example,subsequently, confirming user identity based on said user-specific trait(block 550). Other suitable operations may be used in accordance withthe present invention.

In accordance with the present invention, correlation between touch-dataand acceleration/orientation data may be identified and/or checkedlocally in the mobile device; or remotely, such as in a remote serverwhich may receive such data via a wireless communication link from themobile device; or by using other suitable architecture, for example, ahybrid architecture in which some operations may be performed locallyand other operations may be performed remotely. Accordingly, componentsor modules that are depicted, for demonstrative purposes, as beingincluded in the mobile device, may be implemented at a remote server orwithin other suitable units. The present invention may be implemented ina stand-alone mobile device, such that data collection and processingmay be performed within the device; or in a client-server architecture,such that the device may collect data and may wirelessly transmit thecollected data to a remote server for processing and analysis; or in a“cloud computing” architecture in which data is stored remotely and isalso processed remotely. Other suitable architectures may be used, todeploy a system in which a particular mobile device “knows” orrecognizes its genuine user, or, to deploy a system in which aparticular application or website “know” or recognize a genuine user,based on the above-mentioned correlations.

In a demonstrative experiment in accordance with the present invention,multiple participants were asked to hold a particular mobile device (aniPad tablet), to drag (with a finger) a displayed green circle towards adisplayed red target, and then to release the dragged item once itreached the red target. Accelerometer data and touch data were collectedwhile performing the requested operations. The experiment measured thetouch and release signals, as well as accelerometer measurements; andthen triggered the acceleration data according to the touch time. TheApplicants generated graphs, which demonstrate acceleration as afunction of time over three separate axes, thereby demonstrating atleast two identifying characteristics which may be used as auser-specific trait. As a first identifying characteristic, the phasiclevel (observed at the X axis) may have different values for differentpeople, corresponding to different posture of the mobile device. As asecond identifying characteristic, the transient shape once the deviceis clicked (observed at the Z axis) may have different values fordifferent people. This data may be transformed or analyzed, for example,by using dimension reduction techniques (e.g.,kernel-principle-component-analysis), thereby demonstrating thebiometric capability of synergizing between touch data and accelerationdata.

The Applicants generated another graph of the main axes of thedimension-reduced space of the accelerometer reaction to tapping. Eachsmall item in the graph represents one trial, and each shape orcharacter in the graph (e.g., circle, square, diamond, triangle)represents a different user. This graph demonstrated identifiableclusters of trials, each such cluster corresponding to a different user.

In certain scenarios, posture data (e.g., phasic response) may beneglected or may not be available, for example, if the mobile device isoperated while being placed on a table or a flat surface and is nothand-held by the user. In such scenarios, only the device's kinematicsduring taps may be taken into account, and still the present inventionmay capture sufficient information for biometric functions. TheApplicants generated another graph, depicting the feature space, whereeach dot represents a trial; greyed circles represent trials performedby one particular user, and black circles represent trials performed bythe other participants. It demonstrated dimension reduction when onlythe device's kinematics are taken into account, showing that, still,sufficient significant biometric information may be captured anddetermined.

The present invention may be used in order to automatically identifythat a user (e.g., an attacker or a “fraudster”) is attempting to poseas (or impersonate, or “spoof”) another user (e.g., the “real” user orthe genuine user). In accordance with the present invention, theattacker would need to carefully and correctly imitate the exactaccelerometer response for tapping (or for other suitable touch-screenoperations, such as scrolling, dragging, releasing), taking into accountthe particular kinematics properties of the genuine user; and suchimitation may be extremely difficult and unlikely, or even impossible,for most attackers.

The present invention may utilize signal processing and/or machinelearning techniques, in order to build or generate a template model or aprofile which corresponds to the genuine user; and then comparesubsequent instance(s) or sample(s) to the pre-built (and locallystored, or remotely stored) model or profile. If the subsequent samplesare consistent with the pre-built model or profile, then a first outputscore may be generated (e.g., having a high value in a predefinednumeric range, such as a value of 98 on a scale of 0 to 100); whereas,if the subsequent samples are inconsistent with the pre-built model orprofile, then a second output score may be generated (e.g., having alower value on the predefined numeric range, such as a value of 34 onthe scale of 0 to 100). In some implementations, an output score greaterthan a threshold value may be used (alone, or in combination with otherbiometric traits and/or other authentication measures) as an indicationthat the current user is the genuine user; whereas an output score lowerthan the threshold value may be used (alone, or in combination withother biometric traits and/or other authentication measures) as anindication that the current user is not the genuine user.

The present invention may further be used to differentiate ordistinguish between the genuine (human) user, and a robot or amachine-operable module or function (e.g., implemented as a computervirus, a Trojan module, a cyber-weapon, or other malware) which attemptsto automatically imitate or emulate or simulate movement of a cursor orother interaction with a touch-screen. For example, false identitycreated by automated malware may be detected by the present invention assuch automated malware may lack the characterization of human (e.g.,manual) behavior, such as the touch features (e.g., speed, pressure)and/or its accelerometer correlated measurements.

The present invention may operate and may provide an efficient biometricor user-authentication modality, without capturing, storing, orotherwise identifying any Personally Identifiable Information (PII). Forexample, the present invention may be used to distinguish between agenuine user and a fraudster, without knowing any PPI of the genuineuser and/or of the fraudster.

The present invention may detect correlations and extract user-specifictraits based on passive data collection and/or based on activechallenges. In passive data collection, the mobile device may detectthat the user is performing a particular operation (e.g., a verticalscroll gesture), and may further detect that performing this gestureaffects in a user-specific way the acceleration and/or theorientation/rotation of the mobile device. In an active challenge, themobile device (or an application or process thereof) may activelypresent a challenge to the user, such as, a requirement to the user toperform horizontal scrolling, in order to capture data and detectuser-specific correlation(s). The active challenge may be hidden or maybe unknown to the user, for example, implemented by creating a GraphicalUser Interface (GUI) that requires the button to scroll in order toreach a “submit” button or a “next” button or a “continue” button,thereby “forcing” the user to unknowingly perform a particularuser-gesture which may be useful for correlation detection or forextraction of user-specific traits, as described. Alternatively, theactive challenge may be known to the user, and may be presented to theuser as an additional security feature; for example, by requesting theuser to drag and drop an on-screen object from a first point to a secondpoint, as an action that may be taken into account for confirming useridentity.

Some embodiments of the present invention may be implemented, forexample, as a built-in or integrated security feature which may be acomponent or a module of a mobile device, or may be a downloadable orinstall-able application or module, or plug-in or extension; or as amodule of a web-site or web-page, or of a client-server system or a“cloud computing” system; or as machine-readable medium or article ormemory unit able to store instructions and/or code which, when executedby the mobile device or by other suitable machine (e.g., a remoteserver, or a processor or a computer) cause such machine to perform themethod(s) and/or operations described herein.

Some units, components or modules, that are discussed for demonstrativepurposes as comprised within the mobile device, may be implementedexternally to the mobile device, may be implemented in a remote server,a web server, a website or webpage, a “cloud computing” server ordatabase, a client/server system, a distributed system, a peer-to-peernetwork or system, or the like.

In some embodiments of the present invention, the analysis orcorrelation or matching (e.g., between accelerometer/gyroscope data, andtouch-data or hovering data or other user-gesture data) may belocation-based and/or application-based, or may otherwise take intoaccount a geographical location or geo-spatial location of the mobiledevice or the application(s) being used or that are installed on thedevice. In a demonstrative example, a suitable module (e.g., alocation-aware module or location-determining module) in the mobiledevice may determine the current location of the mobile device, based onGPS data or Wi-Fi data or cellular triangulation data or mobile networkcell data or other location-identification techniques. The mobile phonemay then utilize a suitable module (e.g., a correlator or matchingmodule between location and user-specific behavioral usage traits) inorder to deduce or determine, for example: that when the user utilizeshis mobile device in a first location (e.g., in his office), then themobile phone is typically placed horizontally on a flat surface (e.g., atable); that when the user utilizes his mobile phone in a secondlocation or type of location (e.g., outdoor, on the street, in thepark), then the mobile phone is typically held by the hand of the userat a slanted angle or diagonally (e.g., at approximately 45 to 60degrees relative to the ground); that when the user utilizes his mobilephone in a third location or type of location (e.g., at a Point-Of-Sale(POS) terminal or register or cashier, at a supermarket or a retailstore), then the mobile phone is typically held generally horizontallyby the hand of the user (e.g., generally parallel to the ground); thatwhen the user utilizes his mobile phone in a fourth location or type oflocation (e.g., at an Automatic Teller Machine (ATM) or a vendingmachine), then the mobile phone is typically held generally verticallyby the hand of the user (e.g., at an angle of approximately 90 degrees,or between 80 to 100 degrees, relative to the ground); or the like.These determinations may be location-based or location-aware, therebytriangulating or crossing among three dimensions, namely, behavioraluser-specific traits (e.g., holding the phone diagonally), gesture data(e.g., performing a scroll-down gesture), and location data (e.g., whenutilizing the phone at a retailer); and such determinations may be partof the user-specific profile of that user. In a subsequent usage of themobile device, similar determinations may be made, in order to analyzewhether or not a current user is indeed the same user as in previoususage session(s) or is a “genuine” user. In a demonstrative example,this three-prone approach may raise an alert if, for example, typicallythe user of the mobile device holds his mobile device horizontally whenperforming a scroll-operation at a Point of Sale terminal; and in asubsequent usage session of the mobile device, a user holds that phonevertically when performing a scroll-operation at such Point of Saleterminal, thereby indicating that the subsequent user may not be thegenuine or authorized user of the mobile device. In some embodiments,these multi-prone determinations may further be augmented with, ormatched or correlated with, application-specific data orapplication-specific determinations, in order to improve the tailoringof the behavioral traits to the specific user. For example, the mobiledevice may differentiate and determine that the genuine user typicallyholds the phone vertically (e.g., anywhere, or in a particular locationor type of location) when utilizing the camera application of the mobiledevice, but typically holds the phone horizontally (e.g., anywhere, orin that particular location or type of location) when utilizing theaddress book application of the mobile device; and these user-specifictraits may be extracted and subsequently compared to data captured in asubsequent usage session of that mobile device, to authenticate useridentity.

Some embodiments may comprise a system, device, and method of detectingidentity of a user of an electronic device. A method for confirmingidentity of a user of a mobile electronic device, may include: receivingtouch data from a touch-screen of the mobile electronic device;receiving acceleration data from an accelerometer of the mobileelectronic device; correlating between the touch data and theacceleration data; based on the correlating, generating a user-specifictrait indicative of said user. The method further includes storing areference value of the user-specific trait, indicative of said user; ina subsequent usage session of the mobile electronic device, generating acurrent value of the user-specific trait correlating between touch dataand acceleration data; and based on a comparison between the currentvalue of the user-specific trait and the reference value of theuser-specific trait, determining whether or not a current user of themobile electronic device is an authorized user of the mobile electronicdevice.

For example, a method for confirming identity of a user of a smartphonemay comprise: receiving touch data from a touch-screen of thesmartphone; receiving acceleration data from an accelerometer of thesmartphone; correlating between the touch data and the accelerationdata; based on the correlating, generating a user-specific traitindicative of said user of said smartphone; storing, either locallywithin said smartphone or on a remote server, a reference value of theuser-specific trait, indicative of said user of said smartphone; in asubsequent usage session of the smartphone, generating and storing acurrent value of the user-specific trait correlating between touch dataand acceleration data; and based on a comparison process between (A) thecurrent value of the user-specific trait that was generated, and (B) thereference value of the user-specific trait that was previouslygenerated, determining whether or not a current user of the smartphoneis an authorized user of the smartphone.

In some embodiments, said touch data comprises non-tactile touch dataindicating a hovering user gesture in proximity to said touch-screen ofsaid smartphone.

In some embodiments, the method comprises: receiving gyroscope data froma gyroscope of the smartphone; correlating between the touch data andthe gyroscope data and the acceleration data; based on the correlatingbetween the touch data and the gyroscope data and the acceleration data,generating another user-specific trait indicative of said user.

In some embodiments, the method comprises: determining by saidsmartphone, an offset of holding said smartphone in a hand of said user,wherein the offset comprises an offset selected from the groupconsisting of: the smartphone being held with a palm area of the hand,and the smartphone being held with a fingers area of the hand; based onsaid offset of holding the smartphone in the hand, differentiating amongmultiple users.

In some embodiments, the method comprises: determining by saidsmartphone, whether (A) the same hand of the user is utilized for bothholding the smartphone and tapping the touch-screen of the smartphone,or (B) a first hand of the user is utilized for holding the smartphoneand a second hand of the user is utilized for tapping the touch-screenof the smartphone; based on said determining, differentiating amongmultiple users.

In some embodiments, the method comprises: constructing a user-specificprofile which indicates that for a user-gesture that is performed at aparticular geometric place of the touch-screen of said smartphone, afirst body part of the user is moving while a second body part of theuser is at rest; based on said user-specific profile, differentiatingamong multiple users.

In some embodiments, the method comprises: constructing a user-specificprofile which indicates that for a scrolling gesture that is performedon the touch-screen of said smartphone, a first hand-region of the useris moving while a second hand-region of the user is at rest; based onsaid user-specific profile, differentiating among multiple users.

In some embodiments, the method comprises: analyzing touch-data of aswipe gesture performed by the user on the touch-screen of saidsmartphone, to determine an estimated width of a finger of said user;constructing a user-specific profile which comprises said estimatedwidth of the finger of the user; based on said user-specific profile,differentiating among multiple users.

In some embodiments, the method comprises: analyzing touch-data of acircular swipe gesture performed by the user on the touch-screen of saidsmartphone, to determine an estimated distance between (A) a tip of aswiping finger of a hand of said user, and (B) a palm of said hand ofsaid user; constructing a user-specific profile which comprises saidestimated distance between the tip of the swiping finger and the palm ofthe hand; based on said user-specific profile, differentiating amongmultiple users. In some embodiments, the method comprises: analyzingtouch-data of generally-straight swipe gestures performed by user on thetouch-screen of said smartphone; determining that a first user typicallyrotates the smartphone clockwise while performing generally-straightswipe gestures; determining that a second user typically rotates thesmartphone counter-clockwise while performing generally-straight swipegestures; based on said determinations, differentiating among said firstand second users.

In some embodiments, the method comprises: analyzing said touch data andsaid acceleration data of said smartphone, to determine a level ofshakiness of the smartphone while the user operates said smartphone;analyzing said touch data and said acceleration data of said smartphone,to determine an effect, of a performed user-gesture, on said level ofshakiness of the smartphone; constructing a user-specific profile whichcomprises an indication of the effect of the performed user-gesture onthe level of shakiness of the smartphone; based on said user-specificprofile, differentiating among multiple users. In some embodiments, themethod comprises: analyzing said touch data and said acceleration dataof said smartphone, to determine that immediately prior to performing anon-screen zoom gesture, the user of the smartphone modifies a tilt angleof the smartphone relative to ground; constructing a user-specificprofile which comprises an indication that immediately prior toperforming on-screen zoom gestures, the user of the smartphone modifiesthe tilt angle of the smartphone relative to ground; based on saiduser-specific profile, differentiating among multiple users.

In some embodiments, the method comprises: sensing by said smartphone asweat level of the user while the user performs a gesture on saidsmartphone; correlating between the sensed sweat level of the user andat least one of: said touch data of the smartphone, and saidacceleration data of said smartphone; based on said correlating,differentiating among multiple users. In some embodiments, the methodcomprises: sensing by said smartphone a temperature of a body part ofthe user while the user performs a gesture on said smartphone;correlating between the sensed temperature and at least one of: saidtouch data of the smartphone, and said acceleration data of saidsmartphone; based on said correlating, differentiating among multipleusers. In some embodiments, the method comprises: sensing by saidsmartphone an amount of pressure of a body part of the user while theuser performs a gesture on said smartphone; correlating between thesensed amount of pressure and at least one of: said touch data of thesmartphone, and said acceleration data of said smartphone; based on saidcorrelating, differentiating among multiple users.

In some embodiments, the method comprises: determining a currentlocation of the smartphone; correlating between (A) the current locationof the smartphone, and (B) said touch data of the smartphone, and (C)said acceleration data of said smartphone; based on said correlating,differentiating among multiple users.

In some embodiments, the method comprises: determining geographiclocation of the smartphone; correlating between (A) the current locationof the smartphone, and (B) said touch data of the smartphone, and (C)said acceleration data of said smartphone; based on said correlating,(a) determining that a first user, typically places the smartphonehorizontally on a flat surface when utilizing the smartphone in a firstgeographic location, and (b) determining that said first user, typicallyholds the smartphone slanted relative to the ground when utilizing thesmartphone in a second geographic location; based on saiddeterminations, differentiating among the first user and another user.

In some embodiments, the method comprises: determining a currently-usedapplication of the smartphone, that the user is currently utilizing onsaid smartphone; correlating between (A) the currently-used applicationof the smartphone, and (B) said touch data of the smartphone, and (C)said acceleration data of said smartphone; based on said correlating,differentiating among multiple users.

In some embodiments, the method comprises: determining a currently-usedapplication of the smartphone, that the user is currently utilizing onsaid smartphone; correlating between (A) the currently-used applicationof the smartphone, and (B) said touch data of the smartphone, and (C)said acceleration data of said smartphone; based on said correlating,(a) determining that a first user typically utilizes the smartphonevertically when utilizing a first particular application of thesmartphone, and (b) determining that said first user typically holds thesmartphone slanted relative to the ground when utilizing a secondparticular application of the smartphone; based on said determinations,differentiating among multiple users.

In some embodiments, the method comprises: determining whether a currentlocation of the smartphone is outdoors or indoors; correlating between(A) the current location of the smartphone being either outdoors orindoors, and (B) said touch data of the smartphone, and (C) saidacceleration data of said smartphone; based on said correlating,differentiating among multiple users.

In some embodiments, a method for confirming identity of a user of atablet may comprise: receiving touch data from a touch-screen of thetablet; receiving acceleration data from an accelerometer of the tablet;correlating between the touch data and the acceleration data; based onthe correlating, generating a user-specific trait indicative of saiduser of said tablet; storing, either locally within said tablet or on aremote server, a reference value of the user-specific trait, indicativeof said user of said tablet; in a subsequent usage session of thetablet, generating and storing a current value of the user-specifictrait correlating between touch data and acceleration data; and based ona comparison process between (A) the current value of the user-specifictrait that was generated, and (B) the reference value of theuser-specific trait that was previously generated, determining whetheror not a current user of the tablet is an authorized user of the tablet.

The present invention may include, for example, systems, devices, andmethods for detecting identity of a user of a mobile electronic device,and for determining that a mobile electronic device is used by afraudulent user.

In accordance with the present invention, for example, a method forconfirming identity of a user of a mobile electronic device maycomprise: receiving touch data from a touch-screen of the mobileelectronic device; receiving acceleration data from an accelerometer ofthe mobile electronic device; correlating between the touch data and theacceleration data; based on the correlating, generating a user-specifictrait indicative of said user. In accordance with the present invention,for example, the method may comprise: storing a reference value of theuser-specific trait, indicative of said user; in a subsequent usagesession of the mobile electronic device, generating a current value ofthe user-specific trait correlating between touch data and accelerationdata; and based on a comparison between the current value of theuser-specific trait and the reference value of the user-specific trait,determining whether or not a current user of the mobile electronicdevice is an authorized user of the mobile electronic device. Inaccordance with the present invention, for example, storing comprises:storing within said mobile electronic device; and said comparison isperformed within said mobile electronic device.

In accordance with the present invention, for example, storing comprisesstoring externally to said mobile electronic device; and said comparisonis performed externally to said mobile electronic device, and compriseswirelessly receiving at the mobile electronic device an indication ofsaid comparison. In accordance with the present invention, for example,said touch data comprises non-tactile touch data indicating a hoveringuser gesture in proximity to said touch-screen. In accordance with thepresent invention, for example, the method may comprise: receivinggyroscope data from a gyroscope of the mobile electronic device;correlating between the touch data and the gyroscope data; based on thecorrelating between the touch data and the gyroscope data, generatinganother user-specific trait indicative of said user. In accordance withthe present invention, for example, the method may comprise: capturingnon-tactile motion data indicating a user gesture; correlating betweenthe non-tactile motion data and the acceleration data; based on thecorrelating between the non-tactile motion data and the accelerationdata, generating another user-specific trait indicative of said user. Inaccordance with the present invention, for example, the method maycomprise: comparing between (a) a currently-calculated value of theuser-specific trait, corresponding to a current usage of the mobileelectronic device, and (b) a previously-calculated value of theuser-specific trait, corresponding to a previous usage of the mobileelectronic device; and based on a comparison result, performing at leastone of: restricting access of said user to an online service;restricting access of said user to an application installed on saidmobile electronic device; requiring the user to authenticate hisidentity to an online service; requiring the user to authenticate hisidentity to an application installed on said mobile electronic device.In accordance with the present invention, for example, the method maycomprise: based on said touch data, estimating user-specific motorcontrol parameters and user-specific motor control noise; and based onthe estimated user-specific motor control parameters and user-specificmotor control noise, differentiating between said user and another user.

In accordance with the present invention, for example, the method maycomprise: based on said touch data, estimating user-specific motorcontrol parameters and user-specific motor control noise of a controlloop which comprises translation error and gesture velocity error; andbased on the estimated user-specific motor control parameters anduser-specific motor control noise, differentiating between said user andanother user. In accordance with the present invention, for example, themethod may comprise: based on said correlating, estimating auser-specific physiological trait of said user; and based on theuser-specific physiological trait, differentiating between said user andanother user. In accordance with the present invention, for example,estimating the user-specific physiological trait of said user comprisesat least one of: estimating a length of a finger of the user; estimatinga width of a finger of the user; estimating a size-related parameter ofa finger of the user; estimating a distance between a tip of a finger ofthe user and another part of a hand of the user. In accordance with thepresent invention, for example, the method may comprise: based on saidcorrelating, estimating a user-specific behavioral trait of said user;and based on the user-specific behavioral trait, differentiating betweensaid user and another user. In accordance with the present invention,for example, estimating the user-specific behavioral trait of said usercomprises: determining that said user typically performs a particularinadvertent gesture while performing a user-intended input-providinggesture.

In accordance with the present invention, for example, estimating theuser-specific behavioral trait of said user comprises one or more of:determining that said user typically moves the mobile electronic deviceat a particular direction while performing a touch gesture; determiningthat said user typically rotates the mobile electronic device whileperforming a touch gesture; determining that said user typically slantsthe mobile electronic device at a particular angle while performing atouch gesture. In accordance with the present invention, for example,estimating the user-specific behavioral trait of said user comprises:determining that said user typically holds the mobile electronic devicewith a first hand of the user and concurrently performs aninput-providing gesture with a second hand of the user. In accordancewith the present invention, for example, estimating the user-specificbehavioral trait of said user comprises: determining that said usertypically holds the mobile electronic device with a single hand andconcurrently performs an input-providing gesture with said single hand.

In accordance with the present invention, for example, the method maycomprise: based on said correlating, estimating a first user-specificbehavioral trait of said user which corresponds to a first usagescenario; based on said correlating, estimating a second user-specificbehavioral trait of said user which corresponds to a second usagescenario; based on the first and second user-specific behavioral traits,differentiating between said user and another user. In accordance withthe present invention, for example, the method may comprise: based onsaid correlating, estimating a first user-specific behavioral trait ofsaid user which corresponds to a first usage scenario in which said useroperates said mobile electronic device while the user holds said mobileelectronic device; based on said correlating, estimating a seconduser-specific behavioral trait of said user which corresponds to asecond usage scenario in which said user operates said mobile electronicdevice while the user does not hold said mobile electronic device; basedon the first and second user-specific behavioral traits, differentiatingbetween said user and another user.

In accordance with the present invention, for example, a mobileelectronic device may be configured to confirm identity of a user ofsaid mobile electronic device; the mobile electronic device comprising:a touch-screen to receive touch data; an accelerometer to receiveacceleration data; a correlator module to correlate between the touchdata and the acceleration data; a trait extractor module to generate auser-specific trait indicative of said user, based on correlationbetween the touch data and the acceleration data.

Some embodiments may include a system, device, and method of detectingidentity of a user of a mobile electronic device; such as, a method forconfirming identity of a user of a mobile electronic device, the methodincluding: receiving touch data from a touch-screen of the mobileelectronic device; receiving acceleration data from an accelerometer ofthe mobile electronic device; correlating between the touch data and theacceleration data; based on the correlating, generating a user-specifictrait indicative of said user. The method further includes storing areference value of the user-specific trait, indicative of said user; ina subsequent usage session of the mobile electronic device, generating acurrent value of the user-specific trait correlating between touch dataand acceleration data; and based on a comparison between the currentvalue of the user-specific trait and the reference value of theuser-specific trait, determining whether or not a current user of themobile electronic device is an authorized user of the mobile electronicdevice.

The method may comprise: receiving touch data from a touch-screen of thesmartphone; receiving acceleration data from an accelerometer of thesmartphone; correlating between the touch data and the accelerationdata; based on the correlating, generating a user-specific traitindicative of said user of said smartphone; storing locally within saidsmartphone a reference value of the user-specific trait, indicative ofsaid user; in a subsequent usage session of the smartphone, generatinglocally within said smartphone and storing locally within saidsmartphone a current value of the user-specific trait correlatingbetween touch data and acceleration data; and based on a comparisonprocess that is performed exclusively within said smartphone, between(A) the current value of the user-specific trait that was generatedlocally and stored locally within said smartphone, and (B) the referencevalue of the user-specific trait that was previously generated locallyand stored locally within said smartphone, determining whether or not acurrent user of the smartphone is an authorized user of the smartphone.

In some embodiments, the method comprises: determining by saidsmartphone, an offset of holding said smartphone in a hand of said user,wherein the offset comprises an offset selected from the groupconsisting of: the smartphone being held with a palm area of the hand,and the smartphone being held with a fingers area of the hand; based onsaid offset of holding the smartphone in the hand, differentiating amongmultiple users.

In some embodiments, the method comprises: analyzing touch-data ofgenerally-straight swipe gestures performed by user on the touch-screenof said smartphone; determining that a first user typically rotates thesmartphone clockwise while performing generally-straight swipe gestures;determining that a second user typically rotates the smartphonecounter-clockwise while performing generally-straight swipe gestures;based on said determinations, differentiating among said first andsecond users.

Some embodiments comprise a method, device, and system ofdifferentiating between virtual machine and non-virtualized device; aswell as devices, systems, and methods of detecting user identity,differentiating between users of a computerized service, and detecting acyber-attacker. An end-user device (a desktop computer, a laptopcomputer, a smartphone, a tablet, or the like) interacts andcommunicates with a server of a computerized server (a banking website,an electronic commerce website, or the like). The interactions aremonitored, tracked and logged. Communication interferences areintentionally introduced to the communication session; and the servertracks the response or the reaction of the end-user device to suchcommunication interferences. The system determines whether the user is alegitimate human user; or a cyber-attacker posing as a legitimate humanuser but actually utilizing a Virtual Machine.

In some embodiments, a method comprises: determining whether a user, whoutilizes a computing device to interact with a computerized service, (A)is a user interacting with a non-virtualized computing device, or (B) isa Virtual Machine (VM) running on top of a Virtual Machine Monitor(VMM); wherein the determining comprises: generating and introducing aninterference into a communication session between the computerizedservice and the computing device; monitoring response of the computingdevice to said interference; based on the monitored response,determining whether said user, who utilizes the computing device tointeract with a computerized service, (A) is a user interacting with anon-virtualized computing device, or (B) is a Virtual Machine (VM)running on top of a Virtual Machine Monitor (VMM).

In some embodiments, generating the interference comprises duplicating apacket in said communication session between the computerized serviceand the computing device; wherein the determining comprises: based onthe response of the computing device to said interference of aduplicated packet, determining whether said user, who utilizes thecomputing device to interact with a computerized service, (A) is a userinteracting with a non-virtualized computing device, or (B) is a VirtualMachine (VM) running on top of a Virtual Machine Monitor (VMM).

In some embodiments, generating the interference comprises intentionallydropping a packet in said communication session between the computerizedservice and the computing device; wherein the determining comprises:based on the response of the computing device to said interference of adropped packet, determining whether said user, who utilizes thecomputing device to interact with a computerized service, (A) is a userinteracting with a non-virtualized computing device, or (B) is a VirtualMachine (VM) running on top of a Virtual Machine Monitor (VMM).

In some embodiments, generating the interference comprises inserting anerror code into said communication session between the computerizedservice and the computing device; wherein the determining comprises:based on the response of the computing device to said interference oferror code insertion, determining whether said user, who utilizes thecomputing device to interact with a computerized service, (A) is a userinteracting with a non-virtualized computing device, or (B) is a VirtualMachine (VM) running on top of a Virtual Machine Monitor (VMM).

In some embodiments, generating the interference comprises generatingnetwork congestion in said communication session between thecomputerized service and the computing device; wherein the determiningcomprises: based on the response of the computing device to saidinterference of network congestion, determining whether said user, whoutilizes the computing device to interact with a computerized service,(A) is a user interacting with a non-virtualized computing device, or(B) is a Virtual Machine (VM) running on top of a Virtual MachineMonitor (VMM).

In some embodiments, generating the interference comprises slowing-downnetwork transport in said communication session between the computerizedservice and the computing device; wherein the determining comprises:based on the response of the computing device to said interference ofslowed-down network transport, determining whether said user, whoutilizes the computing device to interact with a computerized service,(A) is a user interacting with a non-virtualized computing device, or(B) is a Virtual Machine (VM) running on top of a Virtual MachineMonitor (VMM).

In some embodiments, generating the interference comprises generatinglatency in said communication session between the computerized serviceand the computing device; wherein the determining comprises: based onthe response of the computing device to said interference of latency,determining whether said user, who utilizes the computing device tointeract with a computerized service, (A) is a user interacting with anon-virtualized computing device, or (B) is a Virtual Machine (VM)running on top of a Virtual Machine Monitor (VMM).

In some embodiments, generating the interference comprises generating acommunication error that causes a Virtual Machine Monitor (VMM) tohandle the communication error without passing the communication errorfor handling by an underlying Virtual Machine (VM); based on thehandling of said communication error, determining that the computingdevice is a Virtual Machine (VM) running on a Virtual Machine Monitor(VMM).

In some embodiments, the method comprises: generating a communicationerror that causes a packet to be handled by both (i) a virtualizednetwork card of a Virtual Machine (VM), and (ii) a hardware network cardof a computer on which said Virtual Machine (VM) is running; detectingdual-handling of said packet due to said communication error; based onsaid dual-handling, determining that said computing device is a VirtualMachine (VM).

In some embodiments, the method comprises: generating a communicationerror that causes a packet to be handled by both (i) a virtualizeddriver of a Virtual Machine (VM), and (ii) a non-virtualized driver of acomputer on which said Virtual Machine (VM) is running; detectingdual-handling of said packet due to said communication error; based onsaid dual-handling, determining that said computing device is a VirtualMachine (VM).

In some embodiments, the method comprises: determining whether saidcomputing device is defined by utilizing Network Address Translation(NAT) or by utilizing bridged networking; based on a determination thatsaid computing device is defined by utilizing Network AddressTranslation (NAT), determining that said computing device is a VirtualMachine (VM).

In some embodiments, the method comprises: generating a communicationerror that is typically handled by an end-user device at a communicationlayer that is higher than data link layer (L2); monitoring the handlingof said communication error by said computing device; detecting thatsaid communication error was handled at the data link layer (L2); basedon said detecting, determining that said computing device is a VirtualMachine (VM).

In some embodiments, the method comprises: measuring a time-to-live(TTL) value of packets transported from said computerized service tosaid computing device; based on said TTL value, determining whether saiduser, who utilizes the computing device to interact with a computerizedservice, (A) is a user interacting with a non-virtualized computingdevice, or (B) is a Virtual Machine (VM) running on top of a VirtualMachine Monitor (VMM).

In some embodiments, the method comprises: measuring a TransmissionControl Protocol (TCP) window size of said computing device; based onsaid TCP window size of said computing device, determining whether saiduser, who utilizes the computing device to interact with a computerizedservice, (A) is a user interacting with a non-virtualized computingdevice, or (B) is a Virtual Machine (VM) running on top of a VirtualMachine Monitor (VMM).

In some embodiments, the method comprises: storing in a repositoryprofiles of multiple computing stacks of Virtual Machines (VMs); duringthe communication session between said computerized service and saidcomputing device, generating an ad-hoc computing stack profile of saidcomputing device; if the ad-hoc computing stack profile of saidcomputing device matches a previously-stored profile of computing stackof Virtual Machine (VM), then determining that said computing device isa Virtual Machine (VM).

In some embodiments, the method comprises: storing in a repositoryprofiles of multiple computing stacks of non-virtualized computingplatforms; during the communication session between said computerizedservice and said computing device, generating an ad-hoc computing stackprofile of said computing device; if the ad-hoc computing stack profileof said computing device matches a previously-stored profile of acomputing stack of non-virtualized computing platform, then determiningthat said computing device is a non-virtualized computing platform.

In some embodiments, the method comprises: estimating two or moreparameters of a computing stack of said computing device; generating aweighted score based on said two or more parameters of the computingstack of said computing device; if the weighted score matches apreviously-calculated score that typically characterizes a VirtualMachine (VM), then determining that said computing device is a VirtualMachine (VM).

In some embodiments, the method comprises: causing said computing deviceto perform a processing-intensive process, and monitoring progress ofsaid processing-intensive process; based on monitored progress of saidprocessing-intensive process, estimating whether said computing deviceis a single-core computing device or a multiple-core computing device;if it is estimated that said computing device is a single-core computingdevice, then determining that said computing device is a Virtual Machine(VM).

In some embodiments, the method comprises: causing said computing deviceto perform a resource-overloading process, and monitoring progress ofsaid resource-overloading process; based on monitored progress of saidprocessing-intensive process, estimating whether said computing deviceis a high-resource computing device or a low-resource computing device;if it is estimated that said computing device is a low-resourcecomputing device, then determining that said computing device is aVirtual Machine (VM).

In some embodiments, the method comprises: causing said computing deviceto invoke a process that attempts to directly access a graphics card ofsaid computing device; monitoring whether or not said processsuccessfully accessed directly the graphics card of said computingdevice; if it is detected that said process did not successfully accessdirectly the graphics card of said computing device, then determiningthat said computing device is a Virtual Machine (VM).

In some embodiments, the method comprises: causing said computing deviceto invoke a process that attempts to draw a particular on-screen graphicitem that can be drawn only by direct access to a graphics card of saidcomputing device; monitoring whether or not said process successfullydrew said graphic item; if it is detected that said process did notsuccessfully draw said graphic item, then determining that saidcomputing device is a Virtual Machine (VM).

The present invention may include, for example, systems, devices, andmethods for detecting identity of a user of an electronic device; fordetermining whether or not an electronic device is being used by afraudulent user or by a legitimate user; and/or for differentiatingamong users of a computerized service or among users of an electronicdevice. Some embodiments of the present invention may comprise devices,systems, and methods of detecting user identity, differentiating betweenusers of a computerized service, and detecting a possible attacker.

For example, the present invention may differentiate between: (i) agenuine user or legitimate user or authorized user, who directlyutilizes a real-world computing device in order to access a service or aremote server; and (ii) an attacker or hacker or “fraudster” orunauthorized user who accesses the service or the remote server byutilizing a Virtual Machine (VM) which runs on top of (or within) a VMhost or a VM monitor (VMM).

Applicants have realized that some hackers and fraudulent users mayutilize a Virtual Machine (VM) running on top of a hypervisor or VMMonitor (VMM), in order to perform or to facilitate fraudulent activity.The VM, or multiple VMs, may be used by a hacker or attacker forattacking, or carrying out malicious activities on, a remote system orremote computer. Each VM may have a unique or different “fingerprint”,and/or may mimic or imitate to some extent one or more characteristicsof a the victim's computerized environment (e.g., Operating System typeand/or version, browser, utilization of a stolen “cookie” file or“cookie” data-item, or the like); thereby allowing the hacker orattacker to avoid being detected or captured by security applicationsthat are device-oriented or that are based on identification ofDevice-ID, by security applications which track devices or computersthat had been known in the past to engage in hacking activities orattacks against the current system or other systems.

Applicants have further realized that a hacker may perform “cloning” orduplication of a computer (or computing environment) of a legitimateuser, in order to imitate the legitimate user or in order to pretendbeing the legitimate user, thereby avoiding the requirement to performan authentication process (e.g., after the legitimate user performsauthentication towards the service provider, such as a banking websiteor electronic commerce website; and such that the cloned environment mayalready contain a cloned or copied authentication key or “cookie” thatindicates to the server that the client is logged-in or authenticated).Additionally, a hacker may utilize VM technology in order to create,define and/or utilize a large number of VMs running on relatively smallcomputers or servers, thereby obviating the need for the hacker toacquire and operate numerous physical devices by utilizingvirtualization instead.

The present invention may detect activity performed by a VM, forexample, based on identifying different feedback or reaction from amouse or keyboard or other input unit; and/or by identifying differencesbetween the VM and the computer on top of which the VM is running (“thehosting environment”).

For demonstrative purposes, some portions of the discussion herein mayrelate to differentiation between: (A) a legitimate or authorized humanuser, and (B) an unauthorized user, or attacker, or cyber-attacker, whoutilizes a VM in order to access a computerized service and/or whileposing as if he is the legitimate authorized user. However, the presentinvention, and the modules and operations describe herein, may also beused, similarly, in order to differentiate between: (i) a human userthat interacts with a computerized service directly, without a VM,without a VMM, without a virtualized environment, by using anon-virtualized platform; and (ii) another human user, who may be acyber-attacker but may not necessarily be a cyber-attacker, who utilizesa VM and/or VMM and/or virtualized environment to access thecomputerized service, without necessarily cyber-attacking thecomputerized service (e.g., may be a human user that attempts to accessthe computerized service via a VM for testing purposes, or for grabbingdata or copying data, or for learning or probing the features or theelements of the computerized service).

In some embodiments of the present invention, a system may comprise, forexample: an end-user device able to communicate (directly or indirectly)with a server of a computerized service. The interactions betweenend-user device and server may be monitored by an interactionsmonitoring module, may be stored in an interactions log, and may beanalyzed by an interactions analyzer. The interactions analyzer may beassociated with, or may comprise, a legitimate user/VM differentiator,which may optionally comprise one or more of sub-systems that aredescribed herein; and/or may implement one or more other differentiatingoperations or methods that are described herein. The output of thelegitimate user/VM differentiator may be transferred to an optionalfraud estimator, which may estimate an aggregated threat-level orfraud-score associated with the particular user or session or account;and which may accordingly trigger a fraud mitigation module to performone or more fraud mitigation operations.

The system may be implemented by using suitable hardware componentsand/or software modules, which may be co-located or may be distributedover multiple locations or multiple devices. Components and/or modulesof the system may interact or communicate over one or more wirelesscommunication links, wired communication links, cellular communication,client/server architecture, peer-to-peer architecture, or the like.

In some embodiments, the system may comprise, for example, an inputunit, an output unit, a user interactions sampling/monitoring module, auser-specific feature extraction module, a database to store userprofiles, an ad-hoc or current user profile, a comparator/matchingmodule, a user identity determination module, a Fraud Detection Module(FDM), and a fraud mitigation module.

The system may monitor interactions of a user with a computerizedservice, for example, user interactions performed via an input unit(e.g., mouse, keyboard, stylus, touch-screen) and an output unit (e.g.,monitor, screen, touch-screen) that the user utilizes for suchinteractions at the user's computing device (e.g., smartphone, tablet,laptop computer, desktop computer, or other electronic device). Forexample, a user interactions monitoring/sampling module may monitor alluser interactions via the input unit and/or the output unit; and mayrecord, log, track, capture, or otherwise sample such user interactions;and/or may otherwise collect user interaction data.

In a demonstrative implementation, for example, an end-user may utilizea computing device or an electronic device in order to launch a Webbrowser and browse to a website or web-based application of acomputerized service (e.g., a banking website, a brokerage website, anonline merchant, an electronic commerce website). The web-server of thecomputerized service may serve code, for example HTML code, that the Webbrowser of the end-user device may parse and may display and/or execute.In accordance with the present invention, for example, a JavaScript codeor code-portion may be served to the Web-browser of the end-user device;or may otherwise be “called from” or loaded from an HTML page that isserved to the end-user device. The JavaScript code may operate as a“silent key-logger” module, and may monitor and track and log all theuser interactions via keyboard, mouse, touch-screen, and/or other inputunits, as well as their timing; and may write or upload or send suchinformation to the web-server or to a third-party server in which theuser interactions monitoring/sampling module may reside. In someembodiments, such “silent key-logger” may be implemented such that itlogs or records or stores or uploads to the server, or analyzes, onlyanonymous data, or only data that excludes the actual content of userinteractions, or only data that on its own does not enableidentification of the user or of the content that the user types; e.g.,by logging or storing only the data-entry rate or timing, or thekey-presses rate or timing, and while not storing (or while discarding)the actual key-presses or content types; for example, logging andstoring that the user typed eight characters in two seconds, rather thanlogging and typing that the user types the word “Jonathan” in twoseconds. The data describing the user interactions may be sent oruploaded, for example, every pre-defined time interval (e.g., everysecond, or every 3 or 5 or 10 seconds), or once a buffer of interactionsis filled (e.g., once 20 keystrokes are logged; once 6 mouse-clicks arelogged). Other suitable methods may be used to monitor and log userinteractions.

The user interaction data may enable a user-specific feature extractionmodule to extract or estimate or determine or calculate user-specificfeatures that characterize the interaction and which are unique to theuser (or, which are probably unique to the user). The user-specificfeature extraction module may store in a database multiple userprofiles, corresponding to various users of the computerized service. Auser may have a single stored profile; or a user may have multiplestored profiles that correspond to multiple usage sessions of that user(e.g., across multiple days; or across multiple usage sessions thatbegin with a log-in and end with a log-out or a time-out).

Once a user accesses (or attempts to access) the computerized service,and/or during the access of the user to the computerized service, theuser interaction monitoring/sampling module may monitor or sample thecurrent user interactions; and the user-specific feature extractionmodule may optionally create a current or ad-hoc user profile thatcharacterizes the user-specific features that are currently exhibited inthe current session of user interactions.

A comparator/matching module may compare or match, between: (i) valuesof user-specific features that are extracted in a current user session(or user interaction), and (ii) values of respective previously-capturedor previously-extracted user-specific features (of the current user,and/or of other users, and/or of pre-defined sets of values thatcorrespond to known automated scripts or “bots”). In someimplementations, the comparator/matching module may compare between thecurrent ad-hoc user profile, and one or more previously-stored userprofiles that are stored in the database.

If the comparator/matching module determines that one or more features,or a set of features, that characterize the current interaction sessionof the current user, does not match those features as extracted inprevious interaction session(s) of that user, then, a possible-fraudsignal may be generated and may be sent or transmitted to other modulesof the system and/or to particular recipients.

Additionally or alternatively, the comparator/matching module maycompare the features characterizing the current session of the currentuser, to features characterizing known automatic fraudulent mechanisms,known as malware or “bot” mechanisms, or other pre-defined data, inorder to determine that, possibly or certainly, the current user isactually a non-genuine user and/or is accessing the service via afraudulent mechanism.

In some embodiments, the comparator/matching module may comprise, or mayoperate in association with, a Fraud Detection Module (FDM), which maycomprise (or may be implemented as) one or more sub-modules, asdescribed herein.

In some embodiments, the output of the comparator/matching module may betaken into account in combination with other information that the frauddetection module may determine to be relevant or pertinent, for example,security information, user information, meta-data, session data, riskfactors, or other indicators (e.g., the IP address of the user; whetheror not the user is attempting to perform a high-risk activity such as awire transfer; whether or not the user is attempting to perform a newtype of activity that this user did not perform in the past at all, ordid not perform in the past 1 or 3 or 6 or 12 months or othertime-period; or the like).

The combined factors and data may be taken into account by a useridentity determination module, which may determine whether or not thecurrent user is a fraudster or is possibly a fraudster. The useridentity determination module may trigger or activate a fraud mitigationmodule able to perform one or more fraud mitigating steps based on thatdetermination; for example, by requiring the current user to respond toa challenge, to answer security question(s), to contact customer serviceby phone, to perform a two-step authentication or two-factorauthentication, or the like.

The system may be implemented by using suitable hardware componentsand/or software modules, which may be co-located or may be distributedover multiple locations or multiple devices. Components and/or modulesof the system may interact or communicate over one or more wirelesscommunication links, wired communication links, cellular communication,client/server architecture, peer-to-peer architecture, or the like

In some embodiments, the system may comprise a computerized serviceplatform able to communicate (e.g., via wireless communication links,via wired communication links, over the Internet, over TCP/IP or otherprotocols, over cellular network, or the like) with one or more end-userdevices, for example, end-user device 201 (e.g., operated by alegitimate user or authorized user) and end-user device 202 (e.g.,operated by an attacker or hacker or fraudulent user). In accordancewith the present invention, a Fraud Detection Module (FDM), or multipleFDMs, may be utilized in order to detect fraud or possible fraud, and/orin order to differentiate between (a) end-user device 201 operated by alegitimate user, and (b) end-user device 202 operated by an attacker.

The computerized service platform may comprise, for example, a Webserver, an application server, and a database which may provide aservice to remote user(s) that operate remote device(s). Such servicemay be, for example, banking service, brokerage service, financialservice, electronic commerce or e-commerce service, information service,entertainment service, or the like.

End-user device 201 may be operated by a legitimate user. End-userdevice 201 may utilize an Operating System (OS), which may enable theuser to utilize one or more installed software applications, forexample, an application, a web browser, or the like. The OS interactswith hardware components of end-user device, either directly or via OSdriver(s), in a non-virtualized way.

In contrast, end-user device 202 may be operated by an attacker. Forexample, end-user device 202 may comprise a first OS (e.g., Linux), onwhich a Virtual Machine Monitor (VMM) or Virtual Machine (VM) HostingEnvironment may be installed and may run. The VMM may create and maycontrol a Virtual Machine (VM), for example, having a second OS (e.g.,Windows) and having one or more applications (e.g., an application, aweb browser, or the like). The applications that run within the VM donot interact directly with the hardware of end-user device; rather, theVMM handles such interactions on their behalf.

One or more components of the system may comprise an FDM module. Forexample, in some implementations, the computerized service platform maycomprise therein an FDM; or may be associate with (or coupled to) anexternal FDM. Additionally or alternatively, FDM(s) may monitorcommunications between end-user devices and the computerized serviceplatform; for example, an FDM may monitor communications betweenend-user device 201 and the computerized service platform; andsimilarly, an FDM may monitor communications between end-user device 202and the computerized service platform. In some implementations, the FDMmay be implemented as part of end-user device, or as part of the OS orapplication or web-browser that runs on the end-user device. Each one ofthe FDM(s) (or other FDM which may be located elsewhere in the system)may perform fraud detection, and/or may differentiate between legitimateuser of end-user device 201 and fraudulent user of end-user device 202;and/or may differentiate between end-user device 201 which operates in anon-virtualized environment, and end-user device 202 which operatesutilizing a VM or in a virtualized environment.

A fraud detection sub-system in accordance with some demonstrativeembodiments of the present invention, may operate to detect activity orfraudulent activity that is performed by an attacker via a VirtualMachine (VM), or by a set or batch or group of VMs. The sub-system maybe implemented as part of, or as a sub-module of, the FDM(s) mentionedabove, or the legitimate user/VM differentiator, and/or other suitablesystems or modules.

The fraud-detection sub-system may comprise, for example: acommunication interference generator; a packet duplicator; an error codeinserter; a network congestion generator; a slow transport generator; alatency/delay generator; a packet dropper; aresponse-to-communication-interference analyzer; and a VM existenceestimation module.

The fraud-detection sub-system may comprise one or more securityapplications or electronic services which may inject or may introduce,for example, small interferences in the communication between theservice and the user's device. For example, a communication interferencegenerator may generate and/or inject and/or introduce smallinterferences in the communication between the service and the user'sdevice. In some embodiments, a packet duplicator module mayintentionally perform duplication of sent packet(s), or may cause thesending of multiple identical packets, as a communication interference.In some embodiments, an error code inserter module may cause intentionalinsertion of error codes into a communication session or communicationmessage that is transmitted to (or responded to) a user device. Anetwork congestion generator may create one or more network conditionsthat mimic or reflect network congestion, at pre-defined time intervals,or at pseudo-random time intervals. Similarly, a slow transportgeneration module may cause the online service to slow-down thetransport of data to the user, mimicking a slow network condition, atpre-defined times or time-intervals, or at pseudo-random times ortime-intervals. A latency/delay generator may artificially injectlatency or delay(s) into particular communications, or at pre-definedtimes or time-intervals, or at pseudo-random times or time-intervals. Apacket dropper module may intentionally drop a packet (or a set ofconsecutive packets, or a group of non-consecutive packets), or maymimic or imitate the accidental dropping or loss of such packet(s), froman ongoing communication session between a server and the user'scomputer.

The fraud detection sub-system may additionally comprise a response tocommunication interference analyzer and a VM existence estimationmodule. The Response-to-communication-interference analyzer may operateto track and monitor the response of the end-user device to thegenerated communication interference or abnormality and to analyze theresponse and its characteristics in order to determine whether or notthe end-user device is a VM based on the fact that VM(s) respond in adifferent manner to such communication interferences, compared to theresponse of a human user that directly utilizes a physical computingdevice. For example, one or more of such injected communicationinterferences may force the hosting environment (which hosts a VM in it,or on it) to expose its existence, thereby indicating that a VM isrunning on top of the hosting environment. Other suitable modules mayidentify, for example, that the activity received from the useroriginates from a VM, rather than from a human user, as describedherein.

Applicants have realized that in a usage session that involvesvirtualization, there is a greater amount or greater number ofcomponents that are involved in communication: the physical NetworkInterface Card (NIC) (or modem, or wireless modem, or other suitableadaptor or interface adapter); a driver supplied by the manufacturer ofthe physical NIC; a driver or application of the hypervisor (forexample, “esx” from VMware); a virtual driver that the hypervisorprovides to the VM; a driver of the VM itself (e.g., as Windows XP). TheVM existence estimation module may detect that one or more, or all, ofthese components are involved in the communication session, based on,for example, their handling of communication interferences, error codes,network congestion, slow transport, latency or delays, or the like.

In a demonstrative implementation, the system may measure the time ittakes for the “user”—be it the legitimate human user, or acyber-attacker operating a VM posing as the legitimate human user—torespond to various interferences or communication errors that may beintentionally introduced to the communication session; such as,non-responsiveness of the website or web-page or service that is beingaccessed, a response that includes errors or that appears to beerroneous, an “invalid” or improper response from the website orweb-page or service being accessed, or the like. Analysis of thereaction (e.g., as detailed herein) may point to the possibility thatthe “user” is actually or more-probably a VM running within or on top ahosting environment or VMM, rather than a human user interactingdirectly with a computing device.

Some implementations may monitor and/or identify the response from theend-user device (a real-world computer operated directly by a humanuser, or a VM hosted on top of a hosting environment) to suchintentionally-introduced interference; for example, whether re-send orre-submit operation were performed, whether the communication session(or website, or web-page) was abandoned or dropped, whether one or moreparameters or characteristics of the communication session was changedin response to the interference (e.g., resizing or maximizing of thewindow size), or the like.

In some implementations, for example, the system may intentionally dropor disregard an incoming packet, and may inspect whether or not thepacket is re-sent, what is the period of time that elapses until suchre-sending, and/or detect traffic incoming from a bot-net; optionallyusing such methods in order to detect an Application Denial-of-Service(DOS) attack.

In some embodiments, a fraud detection sub-system may operate to detectactivity or fraudulent activity that is performed by an attacker via aVirtual Machine (VM), or by a set or batch or group of VMs. Thefraud-detection sub-system may comprise, for example: a stack-based VMestimator; a TTL measurer; a TCP window-size measurer; an abnormalnetwork conditions generator; a stack profile generator; a stackprofiles repository; a stack profile comparator; a stack-componentscomparator; and a weighting module.

For example, some embodiments may utilize a Stack-based VM estimator todetect and/or identify differences among VM versus non-VMimplementations; which may take into account that a stack of oneoperating system (e.g., Microsoft Windows) is different from the stackof another operating system (e.g., Linux), and that stacks of differentversions of an OS (such as Windows XP versus Windows 8) are differentfrom each other. This may affect other measurable characteristics, suchas, for example, Time-To-Live (TTL) of packets which may be measured ortracked by a TTL measurer (e.g., by inspecting “Expires” header or“Expires” field in packets or HTTP headers or HTTP packets, or in a“cookie”; or using other TTL measurement techniques). Accordingly, eachimplementation may depend on the OS type, on the version of the OS orsome of its components (e.g., kernel version), on the patching level ofthe OS, and on other (e.g., default) configuration parameters of thatOS; for example, the TCP window size in Linux of a particular versionmay be X, whereas the TCP window size in Linux of another version (or,of Microsoft Windows 7) may be Y, and these parameters may be tracked ormeasured by a TCP window size measurer; thereby assisting theStack-based VM estimator to detect VM or non-VM users.

In accordance with the present invention, a computing system may beassembled and configured; for example, to comprise variousconfigurations and various setups of various VMs, having differenthypervisors, different OS types and/or OS versions, different NICs ornetwork cards, or the like. The system may further comprise an abnormalnetwork conditions generator able to generate interference orabnormality or error in particular communication network conditions orcharacteristics (e.g., delays, error codes, network congestion). Thesystem may additionally comprise real-life non-virtualized computingplatforms, to be used for comparison purposes against the various VMs.The abnormal network conditions generator may generate abnormal networkconditions or communication interferences based on a “fuzzy logic”algorithm; and/or based on specific pre-defined interference scenarios,for example, by using advanced settings of TCP or irregular settings forestablishing TCP connection, introducing packet loss, irregular packets,invalid packets, erroneous packets, dropped packets, duplicate packets,or the like.

Optionally, a stack profiles repository may be used to store multipleprofiles or multiple “signatures” of various computing stacks (e.g., aset of computing elements that consists of an operating system, kernelversion, drivers, hardware components that are used, TCP parameters,browser version, or the like). A stack profile generator may be used togenerate profiles or signatures to a variety of computing platforms,including real-life computing platforms as well as various VMs that arehosted on various hosting environments or VMMs; and such stack profilesmay be stored in the stack profiles repository; each profile orsignature may include a unique arrangement or aggregation of indicatorscorresponding to the above-mentioned computing elements (e.g.,represented as a long string or bit-stream, indicating operating system,kernel version, browser version, or the like). Subsequently, when anend-user device connects or attempts to connect to a service, the stackprofile generator may generate an ad-hoc stack profile for that end-userdevice, and a stack profile comparator may compare the current ad-hockstack profile to previously-stored stack profiles in the stack profilerepository. The comparison may yield a match between the current ad-hoccomputing stack profile, and a pre-stored computing stack profile of areal-world computing platform that is known to be authentic and non-VM,thereby indicating that a VM is most probably not involved in thecurrent communication session. Alternatively, the comparison may yield amatch between the current ad-hoc computing stack profile, and apre-stored computing stack profile that is associated with a VM or witha hosted environment or VMM, thereby indicating that a VM is mostprobably involved in the current communication session.

The system may check each interference scenario, against each VM andagainst each non-virtualized platform; and may detect differences withregard to functional parameters, performance time, delays, the contentthat is actually transported (payload, metadata, control data), theparticular timing of transport of data items, and other parameters, inorder to detect differences between VM and non-VM users. For example, astack-components comparator 430 may compare the value of each trackedparameter or component, with pre-stored values of real-world(non-virtualized) components and virtualized components; and a weightingmodule 431 may generate a weighted score indicating whether the entiretyof the computing stack, based on the weighted aggregation of itsdiscrete components, tends to be closer to matching a virtualizedplatform (a VM) or a non-virtualized platform (a real-world hardwarecomputer). The weights may be pre-defined or pre-allocated (e.g., usinga lookup table or other weights list), or the weights may be implementedas weight-parameters in a weighted fraud-score (or risk level, or threatlevel) formula which may be calculated.

Based on the insights of the comprehensive system, such communicationinterference module(s) may be integrated as part of the actual serviceor website or web-service or online service; and may generate theparticular interference(s) that would allow the system to detect that a“user” interacting with the service is actually a VM and not a directhuman user (namely, a human user that utilizes a non-virtualizedplatform).

In some embodiments, the fraud-detection sub-system may comprise, forexample: a resource-overloading module; a resource performanceestimator; a processing core(s) estimator; a communication interferencegenerator; an additional packet handler estimator; a layer-of-handlerestimator; a NAT/Bridged estimator; and a direct access tester.

For example, the present invention may identify that the user of aservice is actually utilizing a VM, by estimating and/or determining thenumber of processing cores and/or CPU cores and/or processing resourcesthat are associated with the user. Applicants have realized that somehackers often create VMs that are relatively weak in terms of processingpower or processing resources, and that are allocated only some and notall of the processing resources of the hosting environment; and/or thatmany VMs are defined or created by using a “default” setting of asingle-core machine (e.g., even if the hosting computer is a dual-coreor multiple-core machine).

The system may utilize a resource-overloading module 533 in order tointentionally run CPU-intensive or processing-intensive parallelcomputations or calculations, and may utilize a resource performanceestimator to measure or estimate the CPU strength and/or the processorcore count that are associated with the user-side device; which in turnmay be indicative of whether or not the end-user device is a(typically-weaker) virtualized environment (e.g., based on the time orprocessing-cycles or memory, which are actually used in order tocomplete a processing task or other resource-examining task).Optionally, the number of processing core(s) of the end-user device maybe estimated or determined by a processing core(s) estimator, based onthe performance of the end-user device in response toprocessing-intensive tasks that may be generated by theresource-overloading module. In some implementations, an estimate thatthe user-side machine has extensive processing resources and/or utilizesmore than one processing core (e.g., may contribute to (or may base) adetermination that the user is not a VM. In some implementations, anestimate that the user-side machine has low processing resources and/orutilizes a single processing core, may contribute to (or may base) adetermination that the user is actually a VM and not a human user. Othercharacteristics may be measured or estimated, by using JavaScript orother methods, and other indicators may be used for identifying a VMand/or for supporting a possible decision that the user is actually aVM.

Applicants have realized that some attackers or hackers may utilize a VMin order to imitate or mimic or emulate another computer or anothercomputing platform; for example, in order to create an impressiontowards a server computer of a service, as if the attacker's computer(which is a VM) is identical to or similar to the real-world computer(or computing device) of the victim (the real user, whose identity theattacker is imitating; or whose user account the attacker is trying tofraudulently access); and/or in order to create an impression towards aserver computer of a service, as if the attacker's computer (which is aVM) is different from the real-world computer that the attackerutilizes. Accordingly, an attacker that wishes to pose as a victim user,or that wishes to pose as a different (non-attacker) user, may utilize aVM that may mimic or imitate characteristic of a victim computer or of anon-attacker computer. The present invention may utilize one or moremethods or modules, in order to expose the fact that there isinconsistency, or incompatibility or mismatch, between (a) thecharacteristics of the computer that appears to be accessing the server,and (b) the characteristics of the computer that is actually accessingthe server as they are inferred or deduced from the behavior of suchcomputer in response to injected real-time communication errors orinterferences.

The present invention may thus determine, identify and/or estimate, thatthere is an additional or alternate “handler” which handles ormanipulates the communication packet; instead of or in addition to theexpected, single “handler” of communication packets. Based on theresponses to one or more injected communication interferences, anAdditional Packet Handler estimator may estimate or determine theexistence of such additional packet handler, which may be or mayinclude, for example, the physical NIC or network card of the computerhardware that hosts (or monitors) the VM; and/or the driver of thehypervisor, or the Operating System that hosts the VM; or the like. Forexample, the Additional Packet Handler Estimator may estimate or maydetermine that the characteristics of the virtual NIC or the virtualnetwork card (of the VM), or the virtual OS (of the VM), arecharacteristics that are typically associated with a VM and not with areal-world computing platform that runs directly on hardware (without aVMM); thereby estimating that probably a VM is being used to access theservice or the server.

In some implementations, any packet that reaches the VM, is handled byone additional handler or by two (or more) additional handlers, namely,additional component(s) that are not present in the communication flowwhen a real-world computer is utilized (without a VM); and suchpacket(s) are handled by particular software modules that are part ofthe VM software (e.g., a virtualized network card, a virtualized driverof a virtualized OS).

Applicants have realized that in some implementations, the VMM orhypervisor is often defined by utilizing Network Address Translation(NAT), as a network element in Layer 2, rather than by utilizing bridgednetworking. Accordingly, a NAT/Bridged Estimator may estimate that aclient device is utilizing NAT networking, rather than bridgednetworking; and may utilize this to determine or estimate that theclient device is actually a VM running on top of a VMM, rather than areal-world computer that directly runs on hardware.

In some implementations a Layer of Handler estimator may analyze thecommunications data and/or meta-data in order to estimate, at whichlayer of the communication session are packets being handled by theuser's device, or at which layer of the communication session arecommunication errors being handled by the user's device. For example, acommunication interference generator may inject or generate or introducecommunication interferences or abnormalities; and the Layer of Handlerestimator may identify or may estimate that lower-layer elements ormodules are handling such interferences or errors, thereby indicatingthat a VMM is handling such interferences or errors (and nottransferring such errors or interferences to handling by the VM itself).

Applicants have realized that typically, a VM may not be capable ofdirectly accessing a graphics card (or other graphic-processing hardwareelement) of the host computer on which the VM is hosted; whereas anon-VM environment may typically be capable of directly accessing thegraphics card (or other graphic-processing hardware element).Accordingly, a Direct Access Tester may attempt to directly access thegraphics card of the end-user device, by utilizing one or more suitablealgorithms or functions (e.g., by using or invoking WebGLWorker or othersuitable functions), and may examine the success or failure of suchattempt for direct access in order to deduce the possible existence of aVM.

In a demonstrative embodiment, for example, the Direct Access Tester mayutilize WebGLWorker (or other suitable function) in order to attempt todraw on the screen (e.g., on the actual screen of the end-user device,or on an invisible screen or a software-side screen that is not visibleby the user) a pre-defined or randomly-selected visual item thattypically requires direct access to the graphics card (e.g., athree-dimensional rotating cube or cuboid or box). If the attempt issuccessful, namely, the particular graphic element is successfullydrawn, then the Direct Access Tester may determine that the end-userdevice is not a VM (or, is most-probably not a VM); whereas, if theattempt fails, namely, the particular graphic element fails to be drawn,then the Direct Access Tester may determine that the end-user device isactually a VM running on top of a VMM.

In accordance with some embodiments of the present invention, a methodmay comprise: determining whether a user, who utilizes a computingdevice to interact with a computerized service, (A) is a userinteracting with a non-virtualized computing device, or (B) is a VirtualMachine (VM) running on top of a Virtual Machine Monitor (VMM); whereinthe determining comprises: generating and introducing an interferenceinto a communication session between the computerized service and thecomputing device; monitoring response of the computing device to saidinterference; based on the monitored response, determining whether saiduser, who utilizes the computing device to interact with a computerizedservice, (A) is a user interacting with a non-virtualized computingdevice, or (B) is a Virtual Machine (VM) running on top of a VirtualMachine Monitor (VMM).

In some embodiments, generating the interference comprises duplicating apacket in said communication session between the computerized serviceand the computing device; wherein the determining comprises: based onthe response of the computing device to said interference of aduplicated packet, determining whether said user, who utilizes thecomputing device to interact with a computerized service, (A) is a userinteracting with a non-virtualized computing device, or (B) is a VirtualMachine (VM) running on top of a Virtual Machine Monitor (VMM).

In some embodiments, generating the interference comprises intentionallydropping a packet in said communication session between the computerizedservice and the computing device; wherein the determining comprises:based on the response of the computing device to said interference of adropped packet, determining whether said user, who utilizes thecomputing device to interact with a computerized service, (A) is a userinteracting with a non-virtualized computing device, or (B) is a VirtualMachine (VM) running on top of a Virtual Machine Monitor (VMM).

In some embodiments, generating the interference comprises inserting anerror code into said communication session between the computerizedservice and the computing device; wherein the determining comprises:based on the response of the computing device to said interference oferror code insertion, determining whether said user, who utilizes thecomputing device to interact with a computerized service, (A) is a userinteracting with a non-virtualized computing device, or (B) is a VirtualMachine (VM) running on top of a Virtual Machine Monitor (VMM).

In some embodiments, generating the interference comprises generatingnetwork congestion in said communication session between thecomputerized service and the computing device; wherein the determiningcomprises: based on the response of the computing device to saidinterference of network congestion, determining whether said user, whoutilizes the computing device to interact with a computerized service,(A) is a user interacting with a non-virtualized computing device, or(B) is a Virtual Machine (VM) running on top of a Virtual MachineMonitor (VMM).

In some embodiments, generating the interference comprises slowing-downnetwork transport in said communication session between the computerizedservice and the computing device; wherein the determining comprises:based on the response of the computing device to said interference ofslowed-down network transport, determining whether said user, whoutilizes the computing device to interact with a computerized service,(A) is a user interacting with a non-virtualized computing device, or(B) is a Virtual Machine (VM) running on top of a Virtual MachineMonitor (VMM).

In some embodiments, generating the interference comprises generatinglatency in said communication session between the computerized serviceand the computing device; wherein the determining comprises: based onthe response of the computing device to said interference of latency,determining whether said user, who utilizes the computing device tointeract with a computerized service, (A) is a user interacting with anon-virtualized computing device, or (B) is a Virtual Machine (VM)running on top of a Virtual Machine Monitor (VMM).

In some embodiments, generating the interference comprises generating acommunication error that causes a Virtual Machine Monitor (VMM) tohandle the communication error without passing the communication errorfor handling by an underlying Virtual Machine (VM); based on thehandling of said communication error, determining that the computingdevice is a Virtual Machine (VM) running on a Virtual Machine Monitor(VMM).

In some embodiments, the method may comprise: generating a communicationerror that causes a packet to be handled by both (i) a virtualizednetwork card of a Virtual Machine (VM), and (ii) a hardware network cardof a computer on which said Virtual Machine (VM) is running; detectingdual-handling of said packet due to said communication error; based onsaid dual-handling, determining that said computing device is a VirtualMachine (VM).

In some embodiments, the method may comprise: generating a communicationerror that causes a packet to be handled by both (i) a virtualizeddriver of a Virtual Machine (VM), and (ii) a non-virtualized driver of acomputer on which said Virtual Machine (VM) is running; detectingdual-handling of said packet due to said communication error; based onsaid dual-handling, determining that said computing device is a VirtualMachine (VM).

In some embodiments, the method may comprise: determining whether saidcomputing device is defined by utilizing Network Address Translation(NAT) or by utilizing bridged networking; based on a determination thatsaid computing device is defined by utilizing Network AddressTranslation (NAT), determining that said computing device is a VirtualMachine (VM).

In some embodiments, the method may comprise: generating a communicationerror that is typically handled by an end-user device at a communicationlayer that is higher than data link layer (L2); monitoring the handlingof said communication error by said computing device; detecting thatsaid communication error was handled at the data link layer (L2); basedon said detecting, determining that said computing device is a VirtualMachine (VM).

In some embodiments, the method may comprise: measuring a time-to-live(TTL) value of packets transported from said computerized service tosaid computing device; based on said TTL value, determining whether saiduser, who utilizes the computing device to interact with a computerizedservice, (A) is a user interacting with a non-virtualized computingdevice, or (B) is a Virtual Machine (VM) running on top of a VirtualMachine Monitor (VMM).

In some embodiments, the method may comprise: measuring a TransmissionControl Protocol (TCP) window size of said computing device; based onsaid TCP window size of said computing device, determining whether saiduser, who utilizes the computing device to interact with a computerizedservice, (A) is a user interacting with a non-virtualized computingdevice, or (B) is a Virtual Machine (VM) running on top of a VirtualMachine Monitor (VMM).

In some embodiments, the method may comprise: storing in a repositoryprofiles of multiple computing stacks of Virtual Machines (VMs); duringthe communication session between said computerized service and saidcomputing device, generating an ad-hoc computing stack profile of saidcomputing device; if the ad-hoc computing stack profile of saidcomputing device matches a previously-stored profile of computing stackof Virtual Machine (VM), then determining that said computing device isa Virtual Machine (VM).

In some embodiments, the method may comprise: storing in a repositoryprofiles of multiple computing stacks of non-virtualized computingplatforms; during the communication session between said computerizedservice and said computing device, generating an ad-hoc computing stackprofile of said computing device; if the ad-hoc computing stack profileof said computing device matches a previously-stored profile of acomputing stack of non-virtualized computing platform, then determiningthat said computing device is a non-virtualized computing platform.

In some embodiments, the method may comprise: estimating two or moreparameters of a computing stack of said computing device; generating aweighted score based on said two or more parameters of the computingstack of said computing device; if the weighted score matches apreviously-calculated score that typically characterizes a VirtualMachine (VM), then determining that said computing device is a VirtualMachine (VM).

In some embodiments, the method may comprise: causing said computingdevice to perform a processing-intensive process, and monitoringprogress of said processing-intensive process; based on monitoredprogress of said processing-intensive process, estimating whether saidcomputing device is a single-core computing device or a multiple-corecomputing device; if it is estimated that said computing device is asingle-core computing device, then determining that said computingdevice is a Virtual Machine (VM).

In some embodiments, the method may comprise: causing said computingdevice to perform a resource-overloading process, and monitoringprogress of said resource-overloading process; based on monitoredprogress of said processing-intensive process, estimating whether saidcomputing device is a high-resource computing device or a low-resourcecomputing device; if it is estimated that said computing device is alow-resource computing device, then determining that said computingdevice is a Virtual Machine (VM).

In some embodiments, the method may comprise: causing said computingdevice to invoke a process that attempts to directly access a graphicscard of said computing device; monitoring whether or not said processsuccessfully accessed directly the graphics card of said computingdevice; if it is detected that said process did not successfully accessdirectly the graphics card of said computing device, then determiningthat said computing device is a Virtual Machine (VM).

In some embodiments, the method may comprise: causing said computingdevice to invoke a process that attempts to draw a particular on-screengraphic item that can be drawn only by direct access to a graphics cardof said computing device; monitoring whether or not said processsuccessfully drew said graphic item; if it is detected that said processdid not successfully draw said graphic item, then determining that saidcomputing device is a Virtual Machine (VM).

Modules, elements, systems and/or sub-systems described herein may beimplemented by using hardware components and/or software modules; forexample, utilizing a processor, a controller, an Integrated Circuit(IC), a logic unit, memory unit, storage unit, input unit, output unit,wireless modem or transceiver, wired modem or transceiver, internal orexternal power source, database or data repository, Operating System(OS), drivers, software applications, or the like. Some embodiments mayutilize client/server architecture, distributed architecture,peer-to-peer architecture, and/or other suitable architectures; as wellas one or more wired and/or wireless communication protocols, linksand/or networks.

Some embodiments may comprise devices, systems, and methods of detectinguser identity, differentiating between users of a computerized service,and detecting a possible attacker. The methods include monitoring ofuser-side input-unit interactions, in general and in response to aninterference introduced to user-interface elements. The monitoredinteractions are used for detecting an attacker that utilizes a remoteaccess channel; for detecting a malicious automatic script, as well asmalicious code injection; to identify a particular hardware assembly; toperform user segmentation or user characterization; to enable a visuallogin process with implicit two-factor authentication; to enablestochastic cryptography; and to detect that multiple users are utilizingthe same subscription account.

In some embodiments, a method comprises: determining whether a humanuser, who utilizes a computing device to interact with a computerizedservice via a communication channel, (i) is a human user that isco-located physically near said computing device, or (ii) is a humanuser that is located remotely from said computing device and isoperating remotely said computer device via a remote access channel;wherein the determining comprises: (a) monitoring interactions of theuser with an input unit of said computing device, in response to one ormore communication lags that are exhibited by said communicationchannel; (b) based on monitored user interactions via the input unit inresponse to said one or more communication lags, determining whethersaid human user (i) is a human user that is co-located physically atsaid computing device, or (ii) is a human user that is located remotelyfrom said computing device and is controlling remotely said computingdevice via said remote access channel.

In some embodiments, the method comprises: injecting a communicationlatency into said communication channel between said computing deviceand said computerized service; introducing an input/output aberrationthat causes said input unit of said computing device to exhibit abnormalbehavior; determining an actual reaction time of said user to saidinput/output aberration; if the actual reaction time of said user to theinput/output aberration, is greater than a pre-defined reaction-timethreshold value, then determining that the user is located remotely fromsaid computing device and is controlling remotely said computing devicevia said remote access channel.

In some embodiments, the method comprises: injecting a communicationlatency into said communication channel between said computing deviceand said computerized service; introducing an input/output aberrationthat causes said input unit of said computing device to exhibit abnormalbehavior; determining an actual reaction time of said user to saidinput/output aberration; defining a reference reaction time thatcharacterizes a maximum time that elapses between (I) generation of saidinput/output aberration to a local user, and (II) sensing of a reactionby the local user to said input/output aberration; if the actualreaction time of said user to the input/output aberration, is greaterthan said reference reaction time, then determining that the user islocated remotely from said computing device and is controlling remotelysaid computing device via said remote access channel.

In some embodiments, the method comprises: injecting a communicationlatency into said communication channel between said computing deviceand said computerized service; introducing an input/output aberrationthat causes said input unit of said computing device to exhibit abnormalbehavior; determining a time-length of a time-gap between (I)introduction of said input/output aberration, and (II) first discoveryof the input/output aberration by the user as exhibited by commencementof a corrective action by the user; if the time-length of said time-gap,is greater than a pre-defined time-gap threshold value thatcharacterizes non-remote users, then determining that the user islocated remotely from said computing device and is controlling remotelysaid computing device via said remote access channel.

In some embodiments, the method comprises: injecting a communicationlatency into said communication channel between said computing deviceand said computerized service; introducing an input/output aberrationthat causes said input unit of said computing device to exhibit abnormalbehavior; determining a time-length of a time-gap between (I)introduction of said input/output aberration, and (II) an end of acorrective action that the user performed in response to saidinput/output aberration; if the time-length of said time-gap, is greaterthan a pre-defined time-gap threshold value that characterizesnon-remote users, then determining that the user is located remotelyfrom said computing device and is controlling remotely said computingdevice via said remote access channel.

In some embodiments, the method comprises: hiding a mouse-pointer on ascreen of said computerized service; monitoring input unit reactions ofsaid user in response to the hiding of the mouse-pointer; based on theinput unit reactions of said user in response to the hiding of themouse-pointer, determining whether said user is (i) co-locatedphysically at said computing device, or (ii) is located remotely romsaid computing device and controlling remotely said computing device viasaid remote access channel.

In some embodiments, the method comprises: temporarily hiding anon-screen pointer of said computerized service; monitoring input unitreactions of said user in response to the hiding of the on-screenpointer; detecting latency in said input unit reactions of said user inresponse to the hiding of the on-screen pointer; based on detectedlatency in the input unit reactions of said user in response to thehiding of the on-screen pointer, determining whether said user is (i)co-located physically at said computing device, or (ii) is locatedremotely rom said computing device and controlling remotely saidcomputing device via said remote access channel.

In some embodiments, the method comprises: causing an on-screen pointerto deviate relative to its regular on-screen route; monitoring inputunit reactions of said user in response to deviation of the on-screenpointer; detecting latency in said input unit reactions of said user inresponse to the deviation of the on-screen pointer; based on detectedlatency in the input unit reactions of said user in response to thedeviation of the on-screen pointer, determining whether said user is (i)co-located physically at said computing device, or (ii) is locatedremotely rom said computing device and controlling remotely saidcomputing device via said remote access channel.

In some embodiments, the method comprises: sampling multipleinteractions of said user with said input unit of said computing device;based on a frequency of said sampling, determining latency ofcommunications between said user and the computerized service; based onsaid latency of communications, determining whether said user is (i)co-located physically at said computing device, or (ii) is locatedremotely from said computing device and controlling remotely saidcomputing device via said remote access channel.

In some embodiments, the method comprises: sampling multipleinteractions of said user with said input unit of said computing device;based on a frequency of said sampling, determining latency ofcommunications between said user and the computerized service; based onsaid latency of communications, determining whether said user is (i)co-located physically at said computing device, or (ii) is locatedremotely from said computing device and controlling remotely saidcomputing device via said remote access channel.

In some embodiments, the method comprises: sampling multipleinteractions of said user with a computer mouse; if said samplingindicates generally-smooth movement of the computer mouse, then,determining that said user is co-located physically near said computingdevice.

In some embodiments, the method comprises: sampling multipleinteractions of said user with a computer mouse; if said samplingindicates generally-rough movement of the computer mouse, then,determining that said user is located remotely from said computingdevice and controlling remotely said computing device via said remoteaccess channel.

In some embodiments, the method comprises: sampling multipleinteractions of said user with a computer mouse; if said samplingindicates generally-linear movement of the computer mouse, then,determining that said user is located remotely from said computingdevice and controlling remotely said computing device via said remoteaccess channel.

In some embodiments, the method comprises: sampling multipleinteractions of said user with a computer mouse; if said samplingindicates sharp-turn movements of the computer mouse, then, determiningthat said user is located remotely from said computing device andcontrolling remotely said computing device via said remote accesschannel.

In some embodiments, the method comprises: sampling multipleinteractions of said user with said input unit; if a frequency of saidmultiple interactions is below a pre-defined threshold, then,determining that said user is located remotely from said computingdevice and controlling remotely said computing device via said remoteaccess channel; if the frequency of said multiple interactions is abovethe pre-defined threshold, then, determining that said user isco-located physically near said computing device.

In some embodiments, the method comprises: overloading a data transfercommunication channel of the computing device that is used for accessingsaid computerized service; measuring an effect of said overloading onfrequency of sampling user interactions via an input unit; based on themeasured effect of said overloading, determining whether said user is(i) co-located physically at said computing device, or (ii) is locatedremotely from said computing device and controlling remotely saidcomputing device via said remote access channel.

In some embodiments, the method comprises: sampling user interactionswith an input unit of a mobile computing device; analyzing temporalrelationship between touch events and accelerometer events of sampleduser interactions with said input unit of the mobile computing device;based on analysis of temporal relationship between touch andaccelerometer events, of sampled user interactions with said input unitof the mobile computing device, determining whether the said mobilecomputing device is controlled remotely via said remote access channel.

In some embodiments, the method comprises: sampling user interactionswith an input unit of a mobile computing device; analyzing temporalrelationship between touch movement events and accelerometer events, ofsampled user interactions with said input unit of the mobile computingdevice; based on analysis of temporal relationship between touchmovement event and accelerometer events, of sampled user interactionswith said input unit of the mobile computing device, determining whetherthe said mobile computing device is controlled remotely via said remoteaccess channel.

In some embodiments, the method comprises: (A) sampling touch-basedgestures of a touch-screen of a mobile computing device; (B) samplingaccelerometer data of said mobile computing device, during a time periodwhich at least partially overlaps said sampling of touch-based gesturesof the touch-screen of the mobile computing device; (C) based on amismatch between (i) sampled touch-based gestures, and (ii) sampledaccelerometer data, determining that the mobile computing device wascontrolled remotely via said remote access channel.

In some embodiments, the method comprises: (A) sampling touch-basedgestures of a touch-screen of a mobile computing device; (B) samplingaccelerometer data of said mobile computing device, during a time periodwhich at least partially overlaps said sampling of touch-based gesturesof the touch-screen of the mobile computing device; (C) determining thatsampled touch-based gestures indicate that a user operated the mobilecomputing device at a particular time-slot; (D) determining that thesampled accelerometer data indicate that the mobile computing device wasnot moved during said particular time-slot; (E) based on the determiningof step (C) and the determining of step (D), determining that the mobilecomputing device was controlled remotely via said remote access channelduring said particular time-slot.

The present invention may include, for example, systems, devices, andmethods for detecting identity of a user of an electronic device, fordetermining whether or not an electronic device is being used by afraudulent user, and/or for differentiating between users of acomputerized service or between users of an electronic device.

Some embodiments may include devices, systems, and methods of detectinguser identity, differentiating between users of a computerized service,and detecting a possible attacker. The methods may include, for example:monitoring of user-side input-unit interactions, in general and inresponse to an interference introduced to user-interface elements. Themonitored interactions are used for detecting an attacker that utilizesa remote access channel; for detecting a malicious automatic script, aswell as malicious code injection; to identify a particular hardwareassembly; to perform user segmentation or user characterization; toenable a visual login process with implicit two-factor authentication;to enable stochastic cryptography; and to detect that multiple users areutilizing the same subscription account.

The present invention may include detection and/or prevention of RemoteAccess Trojan (RAT) attacks. For example, a RAT may include a computerprogram or malware designed to give an attacker full access to avictim's computer. The present invention may protect a computer userfrom RAT attacks, by using transparent Behavioral Biometrics methodswhich may be based on analysis of interactions through mouse, keyboardand/or touch interfaces. The system may utilize an InvisibleChallenge-Response mechanism that proactively generates larger amount ofadditional behavioral biometric data without users noticing any changeto the user experience. The RAT catcher module of the present inventionmay utilize knowledge of remote access protocols to provide tailoredmade yet robust detection and prevention techniques.

Cybercriminals use RAT to gain ultimate access to infected victimcomputer(s). Using the victim's access privileges and hardwarefingerprint, they can access and steal sensitive business and personaldata bypassing hardware detection security. Many types of AdvancedPersistent Threat (APT) attacks take advantage of RAT technology forbypassing strong authentication and are commercially available (e.g.,Poison Ivy, Dark Comet, Silent VNC, Zeus Plugin, Silent Team Viewer).These may be maliciously installed on a victim's computer usingdrive-by-download and spear-phishing tactics.

In a demonstrative RAT attack, a hacker's computer communicates with ahacker's command-and-control server; which communicates with a victim'scomputer; which communicates with a service provider (e.g., an onlinebanking service). The victim's computer sends (through the hacker'scommand-and-control server) to the hacker's computer, the screen andcursor data that the victim computer “sees” when it interacts with theservice provider; whereas, the hacker's computer sends (through thehacker's command-and-control server) to the victim's computer mousedata, keyboard data, or other input unit data, which the victim'scomputer sends further to the service provider. The victim's computersends out malicious or fraudulent interactions to the service provider,through the hardware of the victim's computer; thereby traversing anyhardware identification system.

There are multiple protocols for implementing RAT. Some are proprietaryand not published, while others are known. For instance, RFB (“remoteframe buffer”) protocol works at the frame buffer level, and thus it isapplicable to all windowing systems and applications, including X11,Windows and Macintosh. RFB is the protocol used in Virtual NetworkComputing (VNC) and its derivatives. The latter is commonly used by afraudster (e.g., Silent VNC). Another example is the Remote DesktopProtocol (RDP) developed by Microsoft, which may be used for cybercrime.Moreover, some fraudsters may utilize proprietary software such asTeamViewer for creating a silent fraud-style version or write their owntool from scratch.

In an experiment in accordance with the present invention, 255 usersentered a website designed to be similar to PayPal login screen, andentered an email address, a password, and clicked a login button. Mostusers accessed the website directly, while 60 users were requested toaccess it through a web-based remote access tool (Dell SonicWALL, andEricom AccessNow). The system of the present invention was able todetect RAT with 100% true detection rate, and with 0% false detectionrate.

The Applicants have generated a scatter-graph demonstrating thedifferentiation that may be achieved, in accordance with somedemonstrative embodiments of the present invention. The vertical axisindicates a first user-specific feature or characteristic, measured orextracted from monitored user interaction (for example, averagecurvature of mouse movement). The horizontal axis indicates a seconduser-specific feature or characteristic, measured or extracted frommonitored user interaction (for example, mouse movement speed in one ormore directions). Other suitable user-specific traits may be extracted,estimated, and/or charted or graphed.

Samples of interactions from a local are indicated with circles; samplesof interactions from a user utilizing a first RAT mechanism (RDP throughSonicWall) are indicated with squares; samples of interactions from auser utilizing a second RAT mechanism (Ercom AccessNow) are indicatedwith triangles. The two different RAT systems operate in different(non-similar) manner; and both of them, and each one of them, isdifferent from the characteristic of a local (genuine, non-RAT) user.The present invention may thus place user characteristics (interactionfeatures) on a similar chart or graph, utilizing one-dimension,two-dimensions, or multiple dimensions; in order to distinguish betweena genuine local user, and a fraudster (human hacker, or automatic scriptor “bot”) that utilizes a RAT-based mechanism, to access the service.

A system in accordance with some demonstrative embodiments of thepresent invention may comprise various components and/or modules. Thesystem may be implemented by using suitable hardware components and/orsoftware modules, which may be co-located or may be distributed overmultiple locations or multiple devices. Components and/or modules of thesystem may interact or communicate over one or more wirelesscommunication links, wired communication links, cellular communication,client/server architecture, peer-to-peer architecture, or the like.

The system may comprise a user-specific feature extraction module, whichmay extract or estimate user-specific features or traits orcharacteristics, that characterize an interaction (or a set or batch ofinteractions, or a session of interactions) of a user with a service,through an input unit (e.g., mouse, keyboard, stylus, touch-screen) andan output unit (e.g., monitor, screen, touch-screen) that the userutilizes for such interactions. A user interaction monitoring/samplingmodule may monitor all user interactions and may record, capture, orotherwise sample such interactions, and/or may otherwise collect userinteraction data which may enable the user-specific feature extractionmodule to extract or estimate user-specific features of the interaction.A database may store records of users and their respective estimateduser-specific feature values.

A comparator/matching module may compare or match, between values ofuser-specific features that are extracted in a current user session (oruser interaction), and values of respective previously-captured orpreviously-extracted user-specific features (of the current user, and/orof other users, and/or of pre-defined sets of values that correspond toknown automated scripts or “bots” or RAT mechanism). If thecomparator/matching module 204 determines that one or more features, ora set of features, that characterize the current interaction session ofthe current user, does not match those features as extracted in previousinteraction session(s) of that user, then, a possible-fraud signal maybe sent or transmitted to other modules of the system and/or toparticular recipients. The user-specific features, whose values may becompared or matched across usage-sessions, may include, for example,curvature (or curvature radius) of mouse movement or mouse strokes;acceleration and/or speed of mouse movement in one or more directions;and/or other suitable features.

Optionally, additionally or alternatively, the comparator/matchingmodule may compare the features characterizing the current session ofthe current user, to features characterizing known RAT mechanisms, knownmalware or “bot” mechanisms, or other pre-defined data; in order todetermine that, possibly or certainly, the current user is actually anon-genuine user and/or is accessing the service via a RAT mechanism.

In some embodiments, the output of comparator module may be taken intoaccount in combination with other information, security information,user information, meta-data, session data, risk factors, or otherindicators (e.g., the IP address of the user; whether or not the user isattempting to perform a high-risk activity such as wire transfer;whether or not the user is attempting to perform a new type of activitythat this user did not perform in the past at all, or did not perform inthe past 1 or 3 or 6 or 12 months or other time-period; or the like).The combined factors and data may be taken into account by a useridentity determination module, which may determine whether or not thecurrent user is a fraudster or is possibly a fraudster. The useridentity determination module may trigger or activate a fraud mitigationmodule able to perform one or more fraud mitigating steps based on thatdetermination; for example, by requiring the current user to respond toa challenge, to answer security question(s), to contact customer serviceby phone, to perform two-step authentication or two-factorauthentication, or the like.

The present invention may utilize active sensing and preventing of RAT,based on examination of different remote access protocols, operationsystems, hardware and viruses in a controlled environment and underdifferent network configurations. RAT detection may be achieved orimproved by using a perturbation generator module, able to introduceactive perturbation(s) on the client computer, which may not affect thelocal (genuine) user but may help to detect or even prevent remote userfunctionality or a RAT-based user, thereby making the RAT-catchingsystem of the present invention more robust and efficient, allowing toboth detect and prevent RAT in various protocols and scenarios with zeroor near-zero false rejection rates.

Some embodiments may utilize a mouse-pointer hiding module, able tocause the mouse-pointer to “disappear” or vanish or be non-visible or beless visible on a screen or monitor of a remote user (who utilizes a RATmechanism), while the mouse-pointer is fully-visible or at leastpartially-visible (or continuously visible) on the victim's computerscreen; or vice versa. In some embodiments, the mouse-pointer hidingmodule may operate to avoid showing a mouse-pointer on the victim'scomputer screen (e.g., by showing a white-on-white arrow, or atransparent arrow), while the victim's computer continues to transmit ortransfer mouse-pointer coordinates to the remote attacker's computerwhich presents (on the screen of the attacker's computer) a visiblemouse-pointer based on the transmitted pointer coordinates; and in suchcase, the system may differentiate or distinguish between users, sincefor example, the remote attacker may continue to operate regularly withregular mouse movements (as he is able to see the mouse-pointer on theattacker's computer screen), whereas a genuine local user may not seelocally the mouse-pointer and may perform reactive operations (e.g., maymove his mouse in a circle, or may move his mouse sidewaysback-and-forth, or up-and-down; or may press the Escape key, or mayperform hectic mouse movements).

In another implementation, a mouse-pointer displacement module mayoperate to cause displacement of the mouse-pointer (e.g., an arrow orother cursor or pointer), visible on the remote attacker's screen,relative to the mouse-pointer that is visible on the victim's screen.For example, the mouse-pointer displacement module may replace themouse-pointer in the victim's computer with a large transparent image(e.g., square or rectangle; for example, 150×150 pixels, or 200×200pixels), having a smaller arrow (e.g., 10 or 15 or 20 pixels long) at anedge or corner or side-region of the image. The remote attacker'scomputer may present the mouse-pointer according to the coordinates ofthe center of the image (the center of the square or rectangle); and asa result, a click or double-click performed by the remote attacker,based on the location of the center of the large image, would actuallybe displaced or deviated relative to the location of the arrow that isvisible on the victim's computer. The system may utilize this deviationor displacement of the mouse-pointer, to distinguish among users; forexample, the remote attacker (whose computer shows an arrow based ontransmitted cursor coordinates) would click “correctly” on buttons orfields or items; whereas a genuine local user, who sees a “displaced”arrow shown in a corner or an edge of a greater transparent rectangle,would click “incorrectly” on white spaces or in proximity to GUIelements (e.g., near buttons, near text-fields, near radio-buttons, nearcheckboxes) but not inside them.

Some embodiments may generate and utilize a modified mouse-pointer whichmay be used for distinguishing a local (genuine) user from a remoteattacker. For example, the mouse-pointer of a computing device (whichbelongs to the genuine user, the local user) may be modified or changedor replaced with a rectangular or square-shaped image, having a “fake”arrow pointer in its upper-left corner. The result of replacing themouse-pointer with the image is, that a “fake” arrow is shown at thecorner, away from the “real” center which is empty and does not show anypointer. A remote attacker is able to correctly and/or rapidly click ona “submit” button. The remote attacker's computer receives from thevictim's computer the coordinates of the center, and the remoteattacker's computer shows to the attacker (on his remote computer) amouse-pointer at that center; the remote attacker brings thatmouse-pointer into the “submit” button, and is able to correctly clickwithin the submit button. In contrast, the local genuine user is notable to correctly (or rapidly) click within the “submit” button. Thelocal user does not see the mouse-pointer at the center of the image;rather, the local user sees only the “fake” arrow at the corner of theimage. Therefore, the local user may move his mouse to bring that “fake”arrow into the “submit” button, and may click on the mouse button there.However, such mouse-click will not actuate the “submit” button, becauseonly the “fake” arrow is within the boundaries of the “submit” button,whereas the “real” coordinates of the center are deviated away,externally to the “submit” button. Accordingly, the local user may beclicking (sometimes repeatedly, several times in a row) within a whitearea, or within area that is not occupied by GUI elements. This mayenable the system to differentiate between the local genuine user andthe remote attacker.

In another implementation, a RAT latency estimator may be used in orderestimate whether a current user is a local (genuine) user or a remote(fraudulent, RAT-based) user, by introducing or generating or injectingan aberration or perturbation or interference or anomaly (e.g., aUI-based or GUI-based aberration or perturbation or interference oranomaly), and measuring or monitoring the response time that elapsesuntil the user reacts to such perturbation. For example, theperturbation generator module may cause the mouse-pointer to entirelydisappear, on both the victim's computer screen and the remoteattacker's computer screen, via a suitable command or operating systemprocedure or function or script; a local (genuine) user may immediatelyreact to such disappearance of a mouse-pointer (or cursor), via one ormore suitable reactions (e.g., may move his mouse in a circle, or maymove his mouse sideways back-and-forth, or up-and-down; or may press theEscape key, or may perform hectic mouse movements); whereas a remoteattacker or a RAT-based attacker may suffer from some degree of latencyor lag or delay in communication, due to his being remote, and thus theremote attacker would react to such disappearance later or significantlylater than a local (genuine) user would react (e.g., at a reaction delaythat is greater than a pre-defined threshold value, or that is notwithin an acceptable pre-defined range of delay values). The system maythus utilize such injected GUI-based (or other types of user experience)interferences, as a trigger for measuring the latency or delay or lag inuser response or the latency (or delay, or lag) in user reaction; agreater latency or delay or lag (e.g., relative to previousmeasurements, or relative to a threshold value, or relative to a rangeof acceptable values) may indicate that the user is a remote attacker ora RAT-based attacker; while a shorter latency or delay or lag (e.g.,relative to previous measurements, or relative to a threshold value orrange of values) may indicate that the user is a local (genuine) userand not a remote attacker.

Optionally, the system may create user-specific profiles which maycomprise cognitive and/or behavioral user-specific traits, based onaberrations or discrepancies that may be based on (or related to)cognitive bias, in order to identify possible identity theft, fraudster,“man in the browser” attacker, and/or non-human (“bot”) moduleimpersonating a human user. Such user-specific traits may be extractedby utilizing, for example, priming, Stroop effect, bias of free choice,false fame effect, or the like. For example, a cognitive bias estimatormay be used to trigger, and measure or estimate, cognitive bias oruser(s) for purposes of differentiating between a genuine or local user,versus a remote user or remote attacker or RAT-based used. In ademonstrative example, the perturbation generator module may introduce aGUI-based perturbation only at a log-in screen of a service orapplication or website; for example, causing the mouse-pointer to movein a certain deviated manner relative to the hand-movement of the user.A genuine (local) user may have cognitive bias, and may operate hislocal mouse device in a way that “corrects” the mouse-pointer deviationin the log-in screen. In the next or subsequent screen, the perturbationmay not be maintained by the system, or may be removed by the system; alocal (genuine) user may still have some degree of cognitive bias, andmay still operate the mouse (at least for a short period of time, e.g.,1 or 2 or 5 seconds) in the previous “corrective” manner that he did inthe log-in screen. In contrast, some types of remote attackers, orRAT-based attackers, may not operate prior to the logging-in of thegenuine user, or may start operating only after the genuine userlogged-in; and such remote attacker would not be aware of any log-inscreen perturbation that had occurred, and would not have any cognitivebias, and would not operate his mouse in the “corrective” manner that abiased local user would do. This may allow the cognitive bias estimatorto distinguish between a genuine local user and a remote attacker.

Some embodiments may identify man-in-the-browser attacks or sessionhijacking attacks, based on behavioral and/or cognitive meta-datarelated to the particular application being used, for example, differentresponse time, different hardware-related behavior, cognitive variancebetween adjacent sessions, responses to aberrations, cognitive bias, orthe like. Some embodiments may utilize biasing, hardware identification,adjacent sessions identification, and/or identification of RAT attacks.In some embodiments, the RAT identification may have an equal error rate(EER) of virtually zero percent when hundreds of users are observed.

In some embodiments, an interaction signal sampling and analysis modulemay analyze a sample of the signal of the user interaction, thefrequency of sampling, the types of noise of the sample, channelestimation, response time to aberrations, diluted mouse trajectorysamples, first order hold sampling of mouse trajectory, or otheruser-specific traits which may be extracted or analyzed when two users(human and/or non-human) generate a signal corresponding touser-interaction at different times and at different sampling rate. Forexample, sampling of mouse movement of a remote attacker's mouse, may bedifferent from sampling of mouse movement of a local (genuine) user.

In a first example, in a remote communication session the communicationprotocol attempts to reduce communication overhead, and thus may sampleless mouse-movement points or may sample the mouse movement at a lower(or reduced) frequency, relative to a local system that does not havecommunication limitations; and as a result, the mouse movement of aremote attacker, when sampled, may show a less-smooth movement or a more“noisy” or noise-affected movement, whereas sampling of a mouse movementof a local user would show a smooth or smoother movement with lessnoise; thereby allowing the interaction signal sampling and analysismodule to differentiate between a remote attacker and a local user.

In a second example, the remote communication session (of the RAT-basedattacker) may suffer from its own limitations, constraints, latency, orits own noises or patterns of noise; which may affect the mouse-movementsampling, and may allow differentiation between the remote attacker anda local user based on such communication noises of the remote accessprotocol.

In both examples, additionally or alternatively, such “noises” in theremote access protocol may affect the latency (or timing) of userreaction to the injected perturbation, and/or may affect the pattern orother characteristics of the user reaction (e.g., the shape of the mousemovement itself). In some embodiments, optionally, a remote-accessburdening module may be used by the system in order to intentionallyburden or overload the victim's computer resources and/or to burden oroverload the remote access protocol (for example, by requiring thevictim's computer to upload and/or download large amounts of data from aserver controlled by the service being protected, thereby leavingnarrower bandwidth and increased latency for the attacker's remoteaccess communication channel); and thereby increasing the effects ofsuch noises due to overloaded communication protocol, or making suchcommunication noise more significant and more observable, and enablingthe system to detect the remote attacker more rapidly or in a morecertain manner.

The user-specific signal characteristics may be stored in the database,and may be used subsequently by comparator/matching module in order tocompare or match between current-characteristics andpreviously-estimated characteristics, thereby enabling a decisionwhether or not the current user is genuine or fraudulent.

Some embodiments may identify man-in-the-browser (MITB) attacks orsession hijacking attacks, based on user-interaction data, injection ofaberrations, analysis of user reaction, and extraction of parametersthat may indicate fraud. In a demonstrative example, a remote attackermay utilize a “Trojan” malware module that is installed on the computingdevice of the genuine user, when the genuine user is logged-in to therelevant service (e.g., online interface of a bank account). Theattacker may thus enter into the account of the genuine user, and mayoperate therein. Such attack may include, for example, two sessions thattake place in parallel or in sequence; operation of the attacker from aremote computer; utilization by the attacker of hardware which may bedifferent from the hardware of the victim's device; and/or utilizationof an automatic script which may operate on the bank account (from aremote server, or directly from the victim's device). The terms “RAT” or“Remote Access Trojan” are used herein for demonstrative purposes; andmay include other types of Remote Access (RA), remote access via amalware or virus or malicious code, or other types of unauthorized orillegitimate or illegal remote access.

In some RAT attacks, a malware module is installed in a victim's device,and sends or transmits data to a remote computer of the attacker, thedata including mouse data as well as screen-shots. Often, to allow asmaller upload of data from the victim to the attacker, images arecompressed, or are skipped (e.g., the mouse pointer may be uploaded tothe attacker, whereas an underlying background image may be sometimesskipped). The system may utilize an aberration generator to generate oneor more aberration(s) that will cause a situation in which the attackerand the victim do not see a visually identical screen, and thereforetheir reaction would be different and may allow the system to identifythe attacker. For example, the aberration generator 209 may generate orinject an aberration or interference, which causes the victim's computerand the remote attacker's computer to show non-identical screens, due totiming difference, latency, bandwidth or throughput limitations (of theconnection between the attacker and the victim), due to utilization ofdifferent hardware (e.g., different screen sizes or screen resolution)by the attacker and victim, or the like. For example, the mouse pointermay be moved or relocated, to be at different locations; such as, to bein a first location at the victim's screen, while being in a secondlocation at an attacker's screen.

Additionally or alternatively, the upload or transmission channel (tothe attacker's device) may be sabotaged, by a channel overloadingmodule, such as by creating an overload of data that needs to beuploaded or downloaded or exchanged or transmitted between the attackerand the victim (or vice versa); or by causing a significant delay orlatency for the attacker, for example, by sabotaging the ability toefficiently compress image(s), e.g., by broadcasting video (for example,invisibly to the genuine user) or rapidly-changing graphical elements orrapidly-changing content items or rapidly-updating content items. In ademonstrative implementation, data which should not typically bedisplayed as a video (e.g., text, static image), may be presented as avideo or a continuous video clip, to overload a transmission channelwhich an attacker may utilize for the RAT mechanism. The system mayotherwise cause aberrations or intentional discrepancies that mayoverload the communication channel between the victim device and theattacker device, thereby causing the communication channel to operate ina bursting manner and thus make the attack identifiable.

Optionally, the system may cause the victim's computer to perform anupload at a particular frequency, which may then be identified in thesignal of the mouse events of the remote attacker. For example, thesystem may comprise a sampling frequency modifier module which mayperform one or more operations which may cause, directly or indirectly,a modification (e.g., a decrease or reduction) in the frequency of thesampling of the input unit interaction of a remote attacker. In ademonstrative example, the system may comprise an animation/videoburdening module which may present on the victim's computer screen, oneor more animation clips and/or video clips of generally static content,such that the victim may not even notice that they are animated orvideos; for example, rapid animation or video which switches between two(or more) very similar shades of a particular color that arenon-distinguishable to the eye of a typical user. The remote accessprotocol that is used in the RAT attack needs to transmit the screencontent of the victim's computer to the remote attacker's computer; andtherefore, the excessive animation/video may burden or overload theremote access communication channel, and may cause a modification of thefrequency of the sampling of the interactions of the attacker; and thefrequency in which the animation (or video clip) is being animated mayaffect in a particular manner the frequency of the transmittal ofpackets from the victim's computer to the remote attacker's computerand/or may affect the sampled signal that represents the interactions ofthe remote attacker; thereby allowing the system to more rapidly or morecertainly detect that a remote attacker is interacting with the service.

Some embodiments may extract time-based or time-related parameters whichmay be user-specific and may be used as user-specific traits for useridentification purposes. For example, aberrations or challenges may begenerated and injected into an interaction of a user with a service orapplication or website, which may require a response or reaction fromthe user (in a visible or conscious manner, or in a non-visible orun-conscious manner, from the user's point of view). An aberrationreaction monitoring module may monitor and determine the reaction of theuser to introduced aberrations, as well as characteristics of suchreaction; for example, was the reaction correct or incorrect, the timingor the latency of the reaction, or the like. Time-based parameters maybe extracted, for example, the time period that it takes the user torecognize or discover the aberration and/or to respond to it (or resolveit), the time period that it takes the user to adapt his behavior (e.g.,his general mouse movement) to a continuous aberration (e.g., adaptationtime, training time), learning curve of the user regarding theaberration (frequency or rate of corrections; magnitude of corrections),or the like. A remote attacker typically has a latency or time-delay,with regard to appearance of the aberration or challenge, as well asdifferent time-based parameters for responding to the aberration orchallenge; and this may allow the system to distinguish or discriminatebetween the genuine user and a remote attacker.

Some embodiments may analyze a sampling signal of the user interaction,for example, sampling frequency (mouse-related, keyboard-related,touch-screen related), types of sampling noises, channel estimates,response time to aberrations, diluted mouse trajectory samples, firstorder hold sampling of mouse trajectory, or other parameters which maybe different from (or may be affected by) parallel operation of twousers (e.g., a genuine user and a remote attacker) that generateinteraction signals at different times and with different samplingfrequencies. Optionally, such features may be extracted in order toestimate or determine the type of hardware utilized by a user, andthereby assist in distinguishing between a local user versus a remoteattacker. In a demonstrative example, the system may comprise a hardwareidentification module able to identify hardware utilized by the userand/or able to distinguish between hardware utilized by a remoteattacker or a local (genuine) user. For example, each set of hardwarecomponents of a computing device, may sample the mouse events at adifferent frequency and/or with dependence on the available resources(or the overload) of the computer being used. A machine-learning processmay be performed in order to allow the hardware identification module tolearn the characteristics of the sampling of the mouse events (orkeyboard events) of the genuine user, given an average level of computerresources burdening (or availability), which may be known or unknown. Inmany cases, the remote attacker may utilize a computer or computingdevice having hardware specifications and/or resources availability thatmay be different from those of the victim's computer; and therefore, thesampling of the remote attacker's mouse interactions (or keyboardinteractions) may be different from that of the local victim's; therebyallowing the hardware identification module 236 to determine that acurrent user utilizes a mouse (or keyboard) that are different fromthose that the genuine user had used in previous usage sessions,triggering a possible fraud alert.

In some embodiments, a remote attacker may utilize a remote device(having a remote display unit and a remote mouse and keyboard), whichmay translate into a relatively low sampling frequency for the userinteraction of such remote attacker. Optionally, an aliasing injectormodule may inject or introduce aliasing operations, which may not bevisible or noticeable or significant to a local (genuine) user, but maysignificantly burden the interaction of a remote attacker. For example,a mouse pointer may be alternately hidden (e.g., at a frequency of 50Hz), thereby causing the mouse pointer to be visible only to a localuser but not to a remote attacker (or vice versa, depending on the exactconfiguration of such aberration); and the user's response may allow toidentify whether the user is a genuine local user or a remote attacker.

In some embodiments, an adjacent session detection module may identifyadjacent usage sessions of the attacker and the victim. For example, thesystem may compare between sessions having a relatively short timeinterval between them (e.g., five seconds apart, or one minute apart);the system may compare the user interaction parameters of those twosessions, between themselves and/or relative to one or more historicprofile(s) or previously-monitored interaction sessions of that user. Insome embodiments, the system may analyze the later of the two sessionsagainst the interaction parameters of the earlier of the two sessions,rather than against the historic or general interaction profile of theuser. Optionally, the system may generate an ad-hoc profile or temporaryprofile, per usage session, which may be stored and utilized for a shortperiod of time (e.g., 30 or 60 minutes); optionally, an ad-hoc profileor temporary profile may not necessarily be merged or fused into thegeneral profile of the user; but rather, may be kept or utilizedtemporarily, while evaluating whether or not the current user is indeedthe genuine user or an attacker; and only if the system determines thatthe current user is genuine, then, his long-term profile may be updatedin view of his interactions in the current session.

Some embodiments may identify a fraudulent usage session by training theuser to a particular behavior and testing for such behavior; forexample, by launching aberrations that cause the user to change its modeof interaction within the next few seconds or minutes and while theaberration is still carried on. For example, the system may change therelation between the physical movement of the mouse and the virtual oron-screen cursor or pointer during the log-in process, and then makeanother modification subsequent to the log-in process. Similarly, thesystem may modify the delay time or delay interval between thepressing-down of a key on the keyboard, and the appearance of thesuitable character on the screen. The system may generate other, small,aberrations in proximity to a button or link that needs to be clicked orselected, thereby requiring the user to aim the mouse more accurately;or in a touch-screen device, introducing an artificial delay betweentouching an on-screen key until character appears on the screen, therebycausing the user to prolong or extend the pressing time or touchingtime. In some embodiments, one of the two sessions may be injected withsuch aberrations, whereas another of the two sessions (e.g., thelater-starting session) may not be injected with such aberrations; andsampling and analysis of input unit events may enable the system todistinguish between a local (genuine) user and a remote attacker.

Some embodiments may utilize a priming messages module, such that amessage is briefly or instantaneously shown or is flashed on the screenfor a very short time in order to convince the user, sub-consciously, touse a first button or interface element instead of a second one. Thesystem may identify a remote attacker or “bot” or malware due to theirignoring of such priming messages, which may not be transferred from thevictim's computer to the remote attacker's computer due to limitationsof the remote-access protocol or communication channel; or the systemmay identify a remote attacker since such priming messages maydifferently affect the interactions of different users (e.g., thegenuine user may ignore such priming messages, whereas the remoteattacker may obey them; or vice versa).

Some embodiments may detect that a mobile computing device (e.g., asmartphone, a tablet) is being controlled (or was controlled) via aremote access channel (e.g., by a remote attacker who utilizes anon-mobile computing platform, such as a desktop computer or a laptopcomputer). Some embodiments may detect that a mobile computing devicethat has a touch-screen and an accelerometer (e.g., a smartphone, atablet) is being controlled (or was controlled) via a remote accesschannel by a remote attacker who utilizes a computing platform thatlacks an accelerometer (such as a desktop computer or a laptopcomputer). Some embodiments may detect other scenarios or attacks, inwhich an attacker utilizes a desktop or laptop computer, in order toremotely access a mobile computing device (e.g., smartphone or tablet).

For example, touch-screen movements and/or gestures and/or taps may bemonitored, captured and/or sampled; and may be compared or matchedagainst accelerometer(s) data for the same time-period (or for a timeperiod or time-slot which is at least partially overlapping). The systemmay detect that the touch-screen event sampling indicates that the userof the mobile device has manually performed gestures on thetouch-screen; whereas, at the same time, accelerometer data from themobile computing device is absent, or is null, or indicates noacceleration and no deceleration. Such mismatch or anomaly may indicatethat the mobile computing device (e.g., smartphone or tablet) is or wasactually being controlled remotely, by an attacker who utilizes a remoteaccess channel, which enabled the attacker to emulate or simulate“touch-screen gestures” (taps, movements) through the attacker's inputunit (e.g., mouse, touch-pad), but did not enable the attacker to affectthe accelerometer data that the mobile computing device produces. Someimplementations may thus detect that a mobile computing device appearsto be performing manual gestures, while the device itself is notphysically moving or shaking (even minimally), or while the deviceitself is at a complete rest; thereby indicating that possibly a remoteaccess attack is or was performed.

The system may further comprise an Automatic Script Detector (ASD)module, which may be a component or module able to detect an automaticscript (or malware, or virus, or Trojan, or “bot”, or maliciousautomated code or program), which may attempt to control a user account(or a subscriber account, or an online account of a genuine user), in anun-authorized or illegal or fraudulent manner. In some embodiments, theASD module may utilize one or more of the functions described above, inorder to detect such automatic script, or in order to distinguish ordifferentiate between a human user (e.g., the genuine or legitimate orauthorized human user) and a “bot” or automated script. It is clarifiedthat ASD module may detect, for example, that a malicious orunauthorized automatic script or code is running or is “interacting”artificially or automatically with a computerized service, or is“impersonating” a human user. Naturally, some or most computing devicesmay run authorized scripts, such as Operating System, drivers,anti-virus programs, authorized background tasks (e.g., backups); andthe ASD module is not aimed at detecting such authorized processes, butrather, aimed at detecting unauthorized and/or unknown and/or maliciousscripts or code or programs.

Some embodiments may detect an automatic script which may operate as aman-in-the-browser attack (or in a man-in-the-middle attack), and whichmay modify some or all of the data items that are sent from the victim'scomputing device to a web-server or application-server; for example,modifying a recipient bank account data, when the genuine user instructshis bank to perform a wire transfer. The system may identify such scriptor attack, by comparing between the original data that the genuine userhad inputted and instructed to send out, to the (modified) data that wasactually received at the bank's server. In a demonstrative embodiment,the system may detect that the genuine user had inputted six keystrokeswhen he types the recipient's name, whereas the recipient's name asactually received at the bank server has other number of characters (notsix characters). Some embodiments may further examine patterns of theinputting method, if the number of characters is identical, in order todetect a possible fraud.

In some implementations, the ASD module may comprise or may utilize aninteraction data correlator, able to correlate or match or comparebetween: (a) data indicating that a transaction was commanded or orderedor requested from the user's side, and (b) data indicatinguser-interface interactions (e.g., mouse-clicks, mouse gestures, mousemovements, keyboard keystrokes, touch-pad events, mouse events, keyboardevents, other input-unit events). For example, the ASD module may beconnected to, or associated with, an online banking application orweb-site or service; and may monitor interactions of the user with thatservice. The ASD module may detect that the online banking servicereports that the user commands to perform a wire transfer (e.g., withoutnecessarily receiving from the banking service a copy of the actualdata, such as, without receiving the data of the beneficiary name, thebeneficiary account number, the amount of wire transfer, or the like).Upon such report or trigger from the online banking service, the ASDmodule may check whether or not any input-unit interactions werereceived from the user's device, for example, in a particular recenttime-period (e.g., in the most-recent 1 or 2 or 5 or 10 minutes). Forexample, the interaction data correlator may detect that even though awire transfer was commanded or requested from the user's side, the GUIor UI interactions or the input-unit interactions do not show any inputor any gestures or dynamics in the past 5 minutes; and therefore, theinteraction data correlator may determine that the commanded wiretransfer was not entered by a human user, but rather, might possiblyhave been submitted automatically by an automated script or a “bot”program which automatically and electronically submits form data withoutmoving the mouse and/or without typing on the keyboard. The interactiondata correlator may thus trigger an alarm or alert notification forpossible fraud.

In another implementation, the interaction data correlator may furthercorrelate or compare or match, between (a) meta-data about theinput-unit interactions that were actually performed, and (b) meta-dataabout the data that the banking service has received as part of thebanking command. In a demonstrative example, an automated script maymanipulate or modify or replace data that a human (genuine) user typed,and may submit the modified or fraudulent data to the banking service inlieu of the correct data that the human user has entered manually. Forexample, the human user may use the keyboard to enter a firstbeneficiary name of “John Smith” (having 10 characters, including theSpace), and having an account number of “12345678” (having 8 digits),and having a beneficiary city address of “Miami” (five characters);whereas, the automated script may manipulate or modify or replace theuser-entered data, after the user typed it but prior to its electronicsubmission to the banking service's server, to a second beneficiary name(such as “David Malcolm”, having 13 characters), having an accountnumber of “1234567” (having 7 digits), residing in a city of “Moscow”(having 6 letters). The interaction data correlator 242 need not receivefrom the banking service the actual data of the wire transfer details;rather, the interaction data correlator may receive only the meta-datadescribing the data, such as, that the wire transfer request is to abeneficiary name having 13 characters, to a bank account having 7digits, and to a city having 6 characters. The interaction datacorrelator 242 may inspect the recently-captured user interactions(e.g., keystrokes, mouse dynamics, mouse events, keyboard events, otherinput-unit events) and may determine that the command meta-data does notmatch the user-interactions (or the user interaction meta-data);because, the beneficiary name in the wire request has 13 characters, butthe interaction data correlator does not observe a series of 13characters entered within a short period of time (e.g., within 4seconds) as a separate batch from other data; or because the interactiondata correlator observes an initial batch of 10 characters enteredrather than 13 characters. The interaction data correlator may thusdetermine or deduce that an automatic script or “bot” has possiblyintervened to manipulate, replace or modify the data that the userentered manually, with fraudulent data whose meta-data does not matchthe meta-data of the user interactions; and the interaction datacorrelator may proceed to generate an alarm or alert notification ofpossible fraud.

In some implementations, the interaction data correlator may optionallymonitor and analyze the grouping of characters into “fields” or“batches”, and not only the total number of keystrokes or characters; byusing a grouping analyzer. For example, the genuine user may enter “JohnGreen” and also “Boston”, totaling 16 characters; and the automatedscript may fraudulently replace them with “David Green” and “Miami”,which are also totaling 16 characters. The interaction data correlatormay perform grouping into batches, and may notice that the manual inputthat was received corresponds to: a first batch of 10 characters,followed after ten seconds by a second batch of 6 characters; whereas,the data in the wire command (as manipulated by the automated scripts)corresponds to batches of 11+5 characters, and thus does not match thegrouping or batching of the manual user interactions; thereby triggeringan alert notification for possible fraud.

In some implementations, the interaction data correlator may utilize ahash/checksum module, in order to compare or match or correlate betweenhash values and/or checksum values of (a) data that the banking serviceindicates as being received from the user, and (b) data reflecting themonitoring of user interactions through the input unit(s); and withoutnecessarily receiving from the banking service the actual data of thebanking order. For example, the banking service may indicate to theinteraction data correlator that a wire transfer command has beenreceived, with a beneficiary name having ten characters and having achecksum of a hash-value of “54321”. The interaction data correlator, inconjunction with the checksum module, may check whether anyrecently-entered group or batch of ten characters, as captured frommonitored user interactions, has a checksum or hash-value of “54321”;and may generate a possible fraud alert if such match is not detected.

In some implementations, a keystrokes spacing module may be used todetect anomalies or fraud based on expected or observed gaps inkeystroke entry. For example, an automated script may input data byemulating a fixed-rate typist which types at a generally fixed rate(e.g., one character every second; or one character everyhalf-a-second); whereas, a human user may not have a fixed time-gapamong keystrokes. Furthermore, some automated scripts may attempt toinsert random or pseudo-random time-gaps between emulated keystrokes, tocreate an impression of a human user typing (rather than an automatedscript). However, a human user typically enters certain groups ofkeystrokes more rapidly and/or with reduced time-gaps (or with almost notime gaps), and this may be used by the keystrokes spacing module 245 todifferentiate between (i) a human user, and (ii) an automated scriptwhich enters characters in a synthetic or artificial manner“impregnated” or augmented with pseudo-random time-gaps. For example, afirst user may type the common suffix “tion” (as in “question”,“motion”), rapidly and with very little time-gaps among characters; ormay type the common prefix “re” (as in “recall”, “remove”) or the commonsequence “the” (as in “the”, “there”, “them”) more rapidly or with verylittle time-gaps among characters; whereas an automated script may entercharacters with fixed or pseudo-random time-gaps or intervals that donot correspond to the user-specific spacing or no-spacing while typingmanually certain keystroke sequences. These properties may be monitoredand analyzed by the keystrokes spacing module 245; and may be utilizedin order to distinguish or differentiate between (a) a human user, and(b) an automated script; and/or may be utilized in order to distinguishor differentiate between two human users (e.g., a genuine or legitimateuser, versus a fraudster or imposter or attacker or hacker).

The system may further comprise a Code Injection detector, able todetect a fraudulent or possibly-fraudulent situation in which a code orprogram or script is injected or added to a website or application orservice; for example, able to detect an HTML injection attack. In ademonstrative example, a malware or virus or Trojan is maliciouslyinstalled on a computing device or electronic device of a genuine user;who then access a particular service or website or application (e.g.,banking, electronic commerce). The server of the accessed service (e.g.,banking web-server) sends to the user's device an HTML page, whichrequires the user to enter a username and a password. The malware on theuser's computer intercepts the received HTML code prior to its renderingin the browser; and the malware then modifies, manipulates, replacesand/or augments the HTML code. For example, the malware may inject oradd to the original HTML code (that was received from the bank'sweb-server) additional HTML code (“injected code”), which also requiresthe user to enter her social security number, and/or to answer asecurity question (e.g., place of birth), as part of a fraudulent,modified, log-in page which is then rendered and displayed to the userby the web-browser. The malware may then capture the additional datathat the user enters and/or submits, while transmitting back to theweb-server only the data for the originally-required fields (theusername and the password) and not the augmented (fraudulent) fields.

The code injection detector may capture such code injection, forexample, by monitoring and analyzing the data or meta-data related touser interactions with input unit(s) (e.g., keystrokes, mouse clicks,mouse gestures, mouse events, touch-pad events).

In a first example, the code injection detector may receive from thebank web-server an indication that a form was sent to the user's devicefor filling and submitting by the user, and that the form (as sent fromthe web-server) contains two fields to be filled-out. The code injectiondetector may then detect that the monitored user interactions indicateclearly that the user has filled-out three fields rather than twofields; for example, because the user has entered a sequence of 10characters (possibly his username), then pressed Tab to move to a secondfield, then entered a sequence of 12 characters (possibly his password),then pressed Tab again to move to a third field, then entered a sequenceof 9 characters (possibly his social security number, or any other thirddata-item other than the two that the bank web-server requested to befilled-out). The code injection detector may thus determine thatpossibly a code injection attack is being carried out by a malwarecomponent; since the web-server of the service indicates that two fieldshave been requested to be filled-out, whereas the actual monitored userinteractions indicate that three (or more) fields have been filled-outmanually by the user.

In a second example, the code injection detector may utilize data ormeta-data about the length of field(s) that are expected, compared withactual number of characters typed. For example, the bank web-server mayindicate to the code injection detector, that two fields are expected tobe filled-out; a username field which is limited to 16 characters, and apassword field that is limited to 20 characters. The code injectiondetector may observe the actually-typed or actually-performed manualinteractions, and may detect that the user has typed a string with alength of 45 characters; thereby indicating that possibly a third field(or additional fields) have been fraudulently “injected” into the HTMLcode by a malware and have fraudulently induced the user to typeexcessive number of characters than expected.

The system may further comprise a hardware assembly detector able todetermine one or more properties of the hardware components that areactually used by a user of a computing device, based on analysis of userinteractions (e.g., keystrokes, mouse gestures, mouse events, mouseclicks, touch-pad events, and/or other input-unit events orinteractions).

In a first example, a stroke evaluator module (which may also bereferred to herein as a long-stroke evaluator module) may be used inorder to evaluate or analyze long strokes that the user performs. Forexample, the long-stroke evaluator module may monitor and may evaluateall the strokes (or gestures) in which the user moves the on-screenpointer (e.g., mouse-pointer, arrow-shaped pointer, cursor, or thelike); or the top K percent (e.g., top 5 percent or top 10 percent) ofthe strokes when ordered based on their length in descending order. Thelong-stroke evaluator module may detect, for example, that in a firstusage session on Monday, the ten longest strokes that the user performedhave moved the pointer by 600 to 700 pixels, thereby indicating that amouse device was used on a flat surface with a long stroke; whereas, ina second usage session on Tuesday, the ten longest strokes that the userperformed have moved the pointer by 250 to 300 pixels, therebyindicating that a touch-pad was used in that usage session. Accordingly,evaluation of the long or longest strokes of the user, may indicate onthe type of hardware that the using is utilizing; and may allow thelong-stroke evaluator module to distinguish or differentiate between auser utilizing a mouse device and a user utilizing a touch-pad.

Additionally or alternatively, the long-stroke evaluator module maydetect that in the second usage session, two or three consecutivestrokes of approximately 250 pixels each, where performed consecutivelywith short time-gaps between them (e.g., less than a second, or lessthan half-a-second), indicating that the user possibly utilized atouch-pad with three consecutive horizontal strokes in order to entirelymove the on-screen pointer from the left side of the screen to the rightside of the screen.

In another example, some laptop computers may include a mini-joystick inthe center of their keyboard, also known as a “pointing stick” (e.g.,having a red rubber tip); and the utilization of such keyboard-basedpointing-stick may leave a distinguishable footprint on userinteractions; for example, may manifest such utilization by shorterstrokes that are more “bursting” in their nature, or have a greaterinitial acceleration, or have a greater ending deceleration, or thelike. The long-stroke evaluator module may monitor long-strokes (orstrokes in general, not necessarily long ones) in order to detect suchtypical footprint or pattern that is indicative of a keyboard-basedpointing-stick; and may thus distinguish or differentiate between (a) auser utilizing a keyboard-based point-stick, and (b) a user utilizingother type of input unit (e.g., touch-pad, mouse).

The system may further comprise a sampling-based detector able todifferentiate between types of input units (e.g., mouse, touch-pad,pointing-stick), and/or even between different input units of the sametypes (e.g., different types of mouse devices), based on differentsampling footprint or sampling characteristics that such input devicesmay have, individually or due to their assembly with other specifichardware components.

In a first example, monitoring the utilization of a mouse device maylead to a first type of sampling distribution or standard deviationthereof or sampling frequency thereof; which may be different from thoseobtained from monitoring the utilization of a touch-pad, or apointing-stick. Accordingly, the sampling-based detector may determine,based on differences in the characteristics of the sampling of the inputdevice, that a first input device is currently utilized, whereas asecond input device had been utilized in a previous usage session of thesame purported user.

In a second example, mouse devices made by a first manufacturer (e.g.,Logitech) may have different sampling characteristics (e.g., frequency,distribution, standard deviation) than corresponding characteristics ofmouse devices made by a second manufacturer (e.g., HP); thereby allowingthe sampling-based detector to determine that a current user isutilizing a mouse from a different manufacturer, compared to a mouseutilized in a previous usage session of that user.

In a third example, a cordless or wireless mouse may have differentsampling characteristics (e.g., frequency, distribution, standarddeviation) than corresponding characteristics of a corded mouse; therebyallowing the sampling-based detector to determine that a current user isutilizing a wireless or cordless mouse, in contrast with a corded mousethat had been utilized in a previous usage session of that user (or viceversa).

In a fourth example, various models of the same type of mouse (e.g.,cordless, or corded) may have different sampling characteristics (e.g.,frequency, distribution, standard deviation), for example, due todifferent technical specifications of such different mouse devices(e.g., different physical dimensions; different resolution; being aleft-handed or right-handed or neutral mouse device; or the like);thereby allowing the sampling-based detector to determine that a currentuser is utilizing a mouse model which is different from a mouse modelthat had been utilized in a previous usage session of that user (or viceversa).

The system may further comprise a keyboard identification module, ableto distinguish or differentiate among keyboards based on userinteractions via such keyboards. For example, rapid typing of a certainsequence of characters (e.g., “tion” or “the”) may be indicative of anEnglish keyboard being utilized; whereas, rapid typing of other sequenceof characters (e.g., “ez” which is a frequent verb suffix in French) mayindicate that a French keyboard is being utilized. Similarly, Russiankeyboard, Chinese keyboard, and other keyboard layouts may be detected,by observing and detecting particular rapid sequences of characters thatare typically entered in certain languages and not others; regardless orindependently of (and sometimes in contradiction to) the estimatedgeographical region that may be (correctly or incorrectly) deduced fromthe Internet Protocol (IP) address of the user.

For example, a genuine user may be located in the United States and mayutilize an American English keyboard layout; but a remote attackerlocated in Russia may take control over the genuine user's computer inorder to access a bank account of the genuine user. The bank web-servermay only “see” the U.S.-based IP address of the genuine user, and maythus assume or determine (incorrectly) that the service is beingaccessed by a person located in the United States; however, the keyboardidentification module may observe one or more rapid key sequences thatare indicative of a non-English/non-U.S. keyboard layout, and may alertthe banking system that a possible fraud may be occurring, even thoughthe IP address of the logged-in user indicates a U.S.-based IP address.

In another example, different keyboard layouts may dictate, or may beindicative of, different speed or rate of typing (in general, or ofvarious words or syllables or sequences); and these parameters may bemonitored and evaluated by the keyboard identification module, and mayallow to distinguish or differentiate among users based on the estimatedtype of keyboard layout that is being utilized in a current session,compared to historical or past keyboard layout(s) that were observed inprior usage sessions.

Optionally, the hardware assembly detector may utilize a resourcesburdening module for the purposes of hardware assembly detection oridentification. In a demonstrative example, a web-page or application ofa service (e.g., banking service, or electronic commerce service) mayintentionally include excess code, whose purpose is to execute aresource-intensive operation or calculation (e.g., a function that findsall the prime numbers between 1 and 1,000,000); and the user's devicemay be induced into executing such code (e.g., as a client-sideJavaScript code or other client-side program) when the user is accessingthe service, in order to capture and use the footprint of such resourceburdening. For example, each time that a user logs-in to his bankingwebsite, the website may require the user's device to execute (e.g., onetime only per each log-in session) a particular resource-intensiveuser-side (e.g., browser-based) calculation, and to transmit or submitthe answer back to the server. The resources burdening module mayobserve that, for example, in a first usage session the client-sidecomputation required 13 seconds; in a second usage session theclient-side computation required 13.3 seconds; in a third usage sessionthe client-side computation required 12.8 seconds; and in a current,fourth, usage session the client-side computation required only 8seconds. This may indicate that the current usage session is beingperformed by utilizing a different hardware (e.g., faster processor;increased memory) relative to the previous usage sessions, and mayindicate that a possible fraud may be taking place (e.g., by a hacker, aremote attacker, or other fraudster). Optionally, such determination ofpossible fraud may be reached, even if the IP address and/or “cookie”information indicate that the current user is the same person (or thesame device) as the user of a previous usage session.

Optionally, the keyboard identification module may operate inconjunction with, or in association with, acognitive-based/non-biometric segmentation module, which may be able toestimate that a user is located in a particular geographic region (e.g.,continent, country) and/or that the user is fluent or knows how to writea particular language (e.g., a particular non-English language); basedon cognitive parameters which may be estimated or determined.

Some embodiments may perform non-biometric segmentation of users basedon cognitive behavior. For example, the system may estimate thegeographic or geo-spatial location of the user, based on an analysis ofthe key-typing by the user, which may indicate that a particularkeyboard layout (e.g., Russian keyboard layout) is being used, therebyindicating a possible geographical location (e.g., Russia or the formerSoviet Union). Some implementations may utilize a CAPTCHA challengewhich may require typing of local or region-specific or non-universalcharacters, thereby indicating a possible geographic location of theuser.

Some embodiments may utilize non-biometric segmentation of users basedon user interaction characteristics, in order to identify possibleattackers or fraudsters. The way that a user interacts with a computingdevice or website or application, may be indicative of a geographiclocation of the user, a primary language that the user masters or uses,an age or age-range of the user (e.g., relatively young age between 15to 30, versus senior citizens over 60), level of computer-proficiency orcomputer-literacy of the user, or the like. These features may beextracted for each usage session, may assist in creating a user-specificprofile, and may be used for detecting a potential attacker.

In a first example, geographic or geo-spatial features may be extracted,and may then be used for identifying a possible attacker located in Asiaand who attempts to compromise an account of a United States user orservice. In a second example, age-related features may be extracted andmay be used for identifying a possible attacker who is relatively young(under 30) and attempts to compromise an account of a senior citizen(over 60). In a third example, some younger or computer-proficient usersmay utilize certain keyboard shortcuts (for example, CTRL-V to pastetext), whereas a senior citizen may not be proficient with such keyboardshortcuts, or may not use them at all, or may even use Menu commands(e.g., Edit/Paste) to perform similar operations; thereby allowing toraise a flag or alert if an account of a senior citizen, who did notuser CTRL-V in the past, suddenly detects such usage.

Some embodiments may estimate the geographic or geo-spatial location ofa user, based on an estimate of the keyboard layout of that user byanalyzing keystroke patterns or other keystroke information; forexample, identifying strings of two or three characters, that aretypically typed quickly in first keyboard layout of a first region, butare typically types less-quickly or slowly in a second keyboard layoutof a second region. For example, the word “wet” may be typed quickly ina standard QWERTY keyboard in the United States, but may be types slowlyin a keyboard having a different layout in which the letters of the word“wet” are not adjacent. Similarly, when typing the word “read”, apartial string of “re” or “rea” is typically typed faster in some UnitedStates keyboard layouts, relative to the remaining portion of the word;and this may be different in other keyboard layouts. The system maytrack the keystroke patterns, of whole words, or of two-character orthree-character or four-character strings, and may utilize such patternsfor distinguishing between a genuine user and an attacker, or fordetermining whether a current user appears to be utilizing a keyboardhaving a different layout from the keyboard layout of a genuine user whologged-in previously or historically.

Some embodiments may similarly utilize other input-specific combinationsin order to distinguish between users, for example, utilization ofkeyboard shortcuts and/or menu commands, or utilization of a combinationof keyboard and mouse (e.g., clicking a mouse button while holding theShift key or the CTRL key); such advanced combinations may be moretypical of a younger user (e.g., age of 15 to 30), rather than a seniorcitizen user (e.g., age over 60). Similarly, the utilization of CapsLock or Num Lock or other “shifting” keys (e.g., the Windows key, or aFN function key in a laptop keyboard), may be indicative of a younger ormore-proficient user, and may be used for raising a flag or initiating afraud alert when such user attempts to handle an online account of asenior citizen.

In some embodiments, a CAPTCHA that requires to type local orregion-specific characters or language-specific characters may bedisplayed to the user, in order to further assist in distinguishingamong users or for extracting geographic data or keyboard layout data.In a demonstrative example, a web server or application server locatedin France, typically serving French users and customers, may display aCAPTCHA string of “pr t a porter”, in which two letters have accents (or“diacritical marks” or “diacritic marks”) on top of them (or under them,or near them); a user that masters the French language and/or utilizes akeyboard (hardware keyboard, or on-screen keyboard) having a Frenchlayout would probably type correctly either two or one of those accentedcharacters (with their accents, or with their diacritical marks);whereas a non-French person, or a person utilizing a keyboard that doesnot have a French layout, would probably type without any accents ordiacritical marks, “pret a porter”.

The system may further comprise a user-age estimator, able to estimatean age or an age-range or age-group of a user of an electronic device,based on monitored interactions of the user with input unit(s) of theelectronic device. Additionally or alternatively, a user expertiseestimator may estimate whether a user of an electronic device is anovice user or an expert user; or whether the user is experienced ornon-experienced in operating electronic devices and/or in accessingonline systems.

In a first example, the typing speed on a keyboard may be monitored andanalyzed; rapid typing speed may indicate that the user is relativelyyoung (e.g., between the ages of 15 and 40, or between the ages of 18and 30), and/or may indicate that the user is an expert or experienced.In contrast, slow typing speed may indicate that the user is relativelyold (e.g., over 60 years old; over 70 years old), and/or that the useris non-experienced or novice. Optionally, threshold values (e.g.,characters-per-second) may be utilized, with regard to the user'styping, in order to estimate the user's age or age-range, or the userbeing expert or novice.

In a second example, the user-age estimator may take into accountwhether or not the user utilizes advanced options for inputting data.For example, utilization of “copy/paste” operations may indicate ayounger user or an expert user; whereas, repeated typing (even ofduplicate information, such as mailing address and shipping address) andlack of using “copy/paste” operations may indicate an older user or anovice user. Similarly, utilization of various “keyboard shortcuts” in abrowser or an application, may indicate a younger user or an expertuser; whereas, lack of utilization of “keyboard shortcuts” in a browseror application may indicate an older user or a novice user.

In a third example, the general efficiency and/or speed of the user incompleting a task may be monitored and may be taken into account by theuser-age estimator and/or by the user expertise estimator. For example,if it takes the user around 60 or 90 seconds to complete all theinformation required for a wire transfer, then the user may beclassified as a younger user and/or an expert user. In contrast, if ittakes the user more than 6 minutes to complete all the informationrequired for a wire transfer, then the user may be classified as anolder user and/or a novice user.

Some embodiments may distinguish between an expert user and a noviceuser, or between a technology-savvy user and a common user, based ontracking and identifying operations that are typical of such type ofuser. For example, usage, or frequent usage, or rapid usage, of keyboardshortcuts or cut-and-paste operations (e.g., CTRL-C for Copy), or usingALT-TAB operations, or performing rapid operations in a short time or atrapid rate, or avoiding usage of menus, may indicate an experienced userrather than a novice user. Utilization of the Tab key for moving amongfields in a form, or utilization of the Enter (or Return) key instead ofusing a “submit” button or a “next” button, may indicate an experienceduser. The system may identify that a previous user of an account hastypically operated the account with a pattern that typically matches anovice or non-sophisticated user, whereas a current user of the accountappears to operate the account with a pattern that typically matches anadvanced or expert user; and this may cause the system to raise a flagof alert for potential fraud. Similarly, an attempt to perform a newtype or certain type of operation in the account (e.g., a wire transfer;or a money transfer to a new destination or new recipient), togetherwith usage pattern that is indicative of an expert user or sophisticateduser, may by itself be a trigger for possible fraud.

The estimations made by the user-age estimator and/or by the userexpertise estimator may be compared or match to user data which mayappear in a user profile, or may be received from a third party or fromthe service provider (e.g., the bank web-server); and may be used totrigger a possible fraud alert. For example, the bank web-server mayindicate to the system that the current user is in the age-range of 70to 80 years old; whereas the user-age estimator and/or the userexpertise estimator may determine, based on analysis of actualinteractions, that the current user appears to interact as if he is anexpert user or a younger user, thereby triggering a possible fraudalert.

The system may further comprise a user gender estimator, able toestimate the gender (male or female) of the user of an electronicdevice, based on analysis of monitored input-unit interactions. In ademonstrative example, most males have short fingernails or non-longfingernails; whereas some females may have long fingernails. Applicantshave realized that when a person having long fingernails types on aphysical keyboard (having physical keys), there is typically a shortertime-gap between the “key down” and the “key up” events. Someexperiments by the Applicants have shown that it may be possible todistinguish between a male user and a female user, with level ofconfidence of approximately 65 to 70 percent or even higher. The usergender estimator may thus monitor the time-gaps between key typingevents, in order to estimate whether the current user is male or female.Such gender estimation may be taken into account by a fraud detectionmodule, in combination with other parameters (e.g., time-gaps inprevious usage sessions of that user in the past; the fact that asignificant majority of attackers on banking websites or electroniccommerce websites are performed by male users and not by female users),and/or in combination with other parameters or data or meta-datareceived from the service being monitored (e.g., an indication from thebank web-server about the registered gender of the logged-in user as itappears in the user's profile).

Optionally, the gender estimation (and/or other user-specificestimations as described above) may be utilized for triggering apossible fraud alert; or may be used to the contrary, to avoid raising apossible fraud alert. For example, the system may estimate that a firstuser at 10 AM is a novice old male, and that a second user who accessedthe same account at 10:15 AM is an expert young male; thereby indicatinga possible fraud (e.g., the second user may be an attacker), possiblytaking into account the fact that the account indicates only oneaccount-owner. In contrast, the system may estimate that a first user at4 PM is a novice old male, and that a second user at 4:10 PM is a noviceold female; and may take into consideration also the fact that this bankaccount is jointly-owned by a married couple of two senior citizens;thereby allowing the second access session without raising a possiblefraud alert.

In some embodiments, an advertising/content tailoring module may utilizethe estimations or determinations produced by other modules of thesystem, in order to tailor or select user-specific advertisements orbanners or promotional content (or other type of content, such as newsarticles, videos clips, audio clips), tailored to the estimatedcharacteristics of the user. For example, the user-age estimator mayestimate that the current user is in the age-range of 18 to 30 years;the user expertise estimator may estimate that the current user is anexpert or experienced user; and the user gender estimator may estimatethat the current user is a male; and based on these estimations, theadvertising/content tailoring module may select or modify a banner adwhich suits this segment of the population. Additionally oralternatively, the advertising/content tailoring module may take intoaccount geographic segmentation and/or language segmentation, which maybe based on IP address of the user and/or may be based on analysis ofmonitored user interactions which may allow identification of foreignkeyboard layouts and/or foreign languages, thereby allowing theadvertising/content tailoring module to further tailor the displayedpromotional content based on the additional geographic informationand/or language information.

The system may comprise a credentials sharing detector, for detection,mitigation and/or prevention of credential sharing (e.g.,username-and-password sharing, or other cases of “friendly fraud”) amongtwo or more users, in which one user is an authorized user or “payingsubscriber” who shares his credentials (e.g., for accessing a premiumservice) with a second user (who is not a “paying subscriber”). Forexample, John may be a paying subscriber of “Netflix” or otherstreaming-content provider; or may be a paying subscriber of“NYTimes.com” (newspaper) or of “Lexis.com” (legal informationdatabase). The user John (who may be, for example, male, 20 years old,expert user) may share his log-in credentials to such premiumsubscription service, with his aunt Susan (who may be, for example,female, 60 years old, novice user). The modules of the system maymonitor user interactions with the service (e.g., in the log-in page,and/or in subsequent pages that the user may browse, access, orotherwise interact with), and may estimate user-specific characteristicsbased on the user's interactions with the input unit(s), therebyallowing the system to distinguish and/or differentiate between thelegitimate user (the subscriber John) and the illegitimate user whopiggy-backs on the credentials of the legitimate user in order to accessor consume premium content without separately subscribing to it.

In some embodiments, the system may detect scenarios of two users usingone computing device, in the training phase and/or testing phase. If auser's account is suspected to have multiple users, the system may useunsupervised clustering for separating between users. Afterwards, thesystem may use separate individual model for each cluster (e.g., eachestimated user). This may allow the system to build a combined model,consisted of the individual users' models. This solution may outperformbuilding one model for all users, even though it may require more dataas the number of training sessions per user may be decreased. In someembodiments, for example, a joint-account user-profile constructor maybe used in order to utilize the estimated differentiation or thedistinguishing between two (or more) legitimate, authorized users whohave authorization to access the same account or service (e.g., twoco-owners of a joint bank account), and may construct two separateuser-profiles that reflect the biometric and/or cognitive footprints ofeach user separately (based on each user's separate interactions withthe input unit(s) and/or the system). This may enable the system todifferentiate between each one of those legitimate (but separate) users,and a third user which may be an unauthorized attacker. This approachmay yield improved and/or more reliable results, relative to aconventional approach which constructs a single user profile based onall usage sessions of a certain service or account, or relative to aconventional approach that does not attempt to distinguish between twolegitimate users accessing the same account (e.g., joint account, familyaccount).

The system may readily support multiple users per device. The system mayapproach the problem in two ways: first, identify that two users sharethe account; then either build separate models for each user, or, ifsuspicious, generate an alert (e.g., to the bank). Detection of multipleusers may happen in two phases: during initial training, or afterinitial training.

During initial training: if two or more users operate the account duringthe initial silent period, in which the system learns the user behaviorand builds a model, then the system may utilize algorithms to detectthis. In case a user's account is determined to consist of multiplehumans, the system may use unsupervised clustering for separatingbetween the different users even though a robust profile was not yetbuilt. Afterwards, the system may use separate individual models foreach cluster (suspected user). This in turns allows the system to buildindividual users' models. Some embodiments may utilize 5-10 sessions peruser (not per account) to build the model. The system may check to seeif any of the users shows typical or specific fraudster behaviors; ifyes, then an alert is generated, and if not then the system may deducethat both are genuine and may build a model.

After a model is built for the main user: in such case, a second userstarts using the account. The system may alert that this is not theoriginal user, and the system (e.g., a bank's system) may act upon thisdetermination in combination with additional factors (e.g., is the newuser conducting suspicious or high-risk activities; are there severalaccount owners on record or a single owner).

For example, one option is to elevate the risk for the account, suchthat, when the new user conducts a high-risk activity (e.g., paying to anew beneficiary, or registering a new phone number to a service whichallows withdrawing cash from ATMs without a PIN), the system may treatsuch new user as a suspect user.

Another option is to conduct a manual or automated investigation bycontacting the main user, ascertaining their identity, and then askingwhether a family member may be using the same account. If yes, then thismay be reported to the system via case management, and the system mayautomatically add that new user to the account.

A third option is to assume that as long as the new user is not doinganything risky, and is not identified as a likely fraudster based ontheir overall usage patterns (e.g., the new user does not appear tooperate like expert users, as described above), then the system maydetermine that the new user is a genuine additional user. In this casethe system may automatically build a profile for the new user and assumethey are a genuine secondary user, unless follow-up activities do showsigns of fraud behavior.

The system may optionally use a profile type in which a combined modelis built for the two users (e.g., generating an account profile peraccount, rather than a user profile per user). The system may thus have,in some embodiments, a single profile for the entire account, and testit by means of cross-validation that it can be used to accept both whilerejecting others. Adding this profile to the scoring process might offersome advantages over just building two separate user models.

Detection of multiple users during the training phase may be performedby using a particular algorithm. The system needs to accept trainingsessions where there are variations between each session (which is thecase for the majority of accounts); but the system may also need to spotsessions that are most likely done by another human, although the systemhas not yet built a robust model.

A confusion matrix user-differentiation matrix may be generated and/orused, in accordance with some demonstrative embodiments of theinvention. For demonstrative purposes and for simplicity, such confusionmatrix may indicate only four different “shades” or fill-patterns;whereas in real-life many (e.g., 10 or 20) shades or colors may be used.

Using a mobile banking simulated environment, a scenario was tested, inwhich two people operating on the same account produce data. Theconfusion matrix shows how each user session compares to all othersessions. For example, when comparing the session of User 1 to itself,the result is a deep dark square (highly unlikely to be a differentuser), as in all “User-K to User-K” comparison (the diagonal darksquares); but in all other comparisons the color is lighter (highlylikely to somewhat likely to be a different user). There are some caseswhere a single user session appears like another single user session(e.g., User-3 session looks like User-5 session); in this case thesystem might “miss” the detection of the two separate users. Overalldetection rate of some embodiments may be around is 95%, at 0% falsepositive for this test.

In a demonstrative confusion matrix: the diagonal black squares are thesame user (no mixture), and the off-diagonal squares are mixtures of twousers. Each number for both rows and columns represents a single user.The color (or shade) of each square represents a score. The diagonaldiffers from the non-diagonal items, which means that the system mayidentify a mix of users in a single account even during the trainingphase.

In some embodiments, the credentials sharing detector may be implementedas, or may be associated with, a “multiple-users for same account”detector, which may be able to detect that two (or more) different usersare accessing, or are attempting to access, at different times or duringoverlapping or partially-overlapping time-periods, the same computerizedservice, using the same user-account (e.g., utilizing the samecredentials, username-password pair, or other same data of userauthentication). The computerized service may be for example, streamingvideo service (e.g., Netflix, Hulu), streaming audio service, legalinformation database (e.g., Lexis.com), news database or website (e.g.,NYTimes.com), bank account, a website or application which providesaccess to digital content to registered subscribes or to payingsubscribers or to premium subscribers, or the like.

The two (or more) users, which may be detected, identified,differentiated and/or distinguished from each other by the system, maybe, for example: (a) an authorized or genuine user, and an attacker orhacker; or, (b) a first user who is the paying subscriber that receivedor created the login credentials, and a second user (e.g., his friend orrelative) who is not the paying subscriber, and who received the logincredentials from the paying subscriber (e.g., a “friendly fraud”situation, or a password-sharing or credentials-sharing situation); or,(c) a first user who obtained the user credentials from any source (andis not the paying subscriber himself), and a second user who alsoobtained the user credentials from any source (and is not the payingsubscriber himself), such as, for example, a mother and a sister of apaying subscriber who both received the login data from the payingsubscriber. Other suitable pairs (or groups, or sets) of multiple users,may be differentiated or distinguished and “broken” or divided orseparated into the single entities that comprise them.

In a demonstrative implementation of the “multiple-users for sameaccount” detector, a first user “Adam” may be a paying subscriber thatcreated or obtained (e.g., legally, lawfully) user credentials (e.g.,username and password) for a subscription-based service. Adam shared hisuser credentials (e.g., possibly in contradiction to terms-of-service ofthe subscription-based service) with a second user, “Bob”. Each one ofthe two users (Adam, Bob) may be able to access the service, from thesame electronic device or from separate (distinct) electronic devices,at various time-slots or time-frames which may be distinct or may evenbe overlapping or partially-overlapping or simultaneous ofpartially-simultaneous; by entering the same user credentials.

The system may continuously monitor user-interface interactions and/orinput-unit interactions (e.g., performed through a mouse, a keyboard, atouchpad, or the like), of users accessing that particular computerizedservice, including (but not limited to) the interactions performed byusers (Adam and/or Bob) who used the user-credentials of Adam, as wellas interactions performed by other users of that particular computerizedservice that are not related or connected to Adam and/or Bob and wholog-in to the service using other credentials.

The system may accumulate data reflecting the interactions of dozens, orhundreds, or thousands of users who access that service; as well as datareflecting the interactions of two or more usage sessions in which Adamand/or Bob (without the system necessarily knowing yet which one ofthem) has accessed the service with Adam's credentials.

The system may analyze the interactions, or may extract propertiesand/or attributes of such interactions; for example, distribution ofinteractions per usage session, standard deviation of sampled data perusage session, average time of usage per usage session, average numberof clicks (or keystrokes) per usage session, average time-gap betweeninteractions (e.g., between keystrokes) per usage session, typicalreaction (or reactive action, or corrective action) that is performed bya user in response to a user-interface interference that is injectedinto the usage session, and/or other attributes of each usage session.In some implementation, a usage session may be defined as a time periodthat begins when a user starts accessing the particular service bystarting to enter the login credentials, and that ends upon detectingthat a pre-defined time period (e.g., one minute, five minutes, tenminutes, one hour, two hours) has elapsed since the last userinteraction was observed for that particular service.

In a demonstrative embodiment, the system may generate numerousCross-Account Pairing Scores for pairs of usage sessions. Firstly, thesystem may generate pairing scores for two usage sessions that are notfor the same subscription account, and thus, necessarily (or mostprobably), were not performed by the same (single) human user. Forexample, if the paying subscribers of the particular service are Adam,Charlie, David, Even, Frank, and so forth, then the system may generate:

(a) a first cross-account pairing score that corresponds to acombination of: (i) the interactions of the user who utilized the logincredentials for “Charlie”, and (ii) the interactions of another user whoutilized the login credentials of “David”;

(b) a second cross-account pairing score that corresponds to thecombination of: (i) the interactions of the user who utilized the logincredentials for “Charlie”, and (ii) the interactions of another user whoutilized the login credentials of “Eve”;

(c) a third cross-account pairing score that corresponds to thecombination of: (i) the interactions of the user who utilized the logincredentials for “Charlie”, and (ii) the interactions of another user whoutilized the login credentials of “Frank”;

(d) a fourth cross-account pairing score that corresponds to thecombination of: (i) the interactions of the user who utilized the logincredentials for “David”, and (ii) the interactions of another user whoutilized the login credentials of “Eve”; and so forth, with regard topairs of usage sessions that are known to be originating from pairs oftwo different users (because they originated from two different logincredentials).

Additionally, the system may generate Intra-Account Pairing Scores thatreflect the user interactions for pairs of usage sessions that are knownto be performed for the same subscription account. For example, if theuser account of “Adam” has logged-in three times (three usage sessions),then the system may generate the following pairing scores:

(a) a first intra-account pairing score for the subscription account of“Adam”, that corresponds to the combination of: (i) the interactions ofthe user who utilized the login credentials for “Adam” in the firstusage session, and (ii) the interactions of the user who utilized thelogin credentials of “Adam” in the second usage session;

(b) a second intra-account pairing score for the subscription account of“Adam”, that corresponds to the combination of: (i) the interactions ofthe user who utilized the login credentials for “Adam” in the secondusage session, and (ii) the interactions of the user who utilized thelogin credentials of “Adam” in the third usage session; and so forthwith regard to pairs of two consecutive usage sessions that wereperformed for the same subscription account, for each such subscriptionaccount.

It is noted that a “pairing score” may actually be a “grouping score”,by similarly grouping together a set of three or four or other number,which may not necessarily be two.

The system may then analyze the cross-account pairing scores, and may(separately) analyze the intra-account pairing scores, in order todetect typical patterns or significant attributes. For example, thesystem may calculate that cross-account pairing scores have a firstvalue of a particular attribute (e.g., standard deviation, or average,or the like); and that the intra-account pairing score calculated overtwo particular usage sessions from a particular (same) subscriptionaccount have a different value of that particular attribute.

The system may analyze one or more pairs of usage sessions, that areassociated with the subscription account of “Adam”, compared relativeto: (A) pairs of usage sessions of the general population of usagesessions that belong to the same subscription account; and/or, comparedrelative to: (B) pairs of usage sessions that are known to belong todifferent users (e.g., cross-account usage sessions). The system maythus determine whether a pair of usage sessions, that were performedwith the login-credentials of the subscriber “Adam”, were indeedperformed by the same single human user (e.g., if the attributes of suchpair of usage sessions, are more similar to the attributes of pairs ofintra-account usage sessions), or conversely, whether that pair of usagesessions were performed by two different users (e.g., Adam and hisfriend; or Adam and an attacker), for example, if the attributes of suchpair of usage sessions are more similar to the attributes of pairs ofcross-account usage sessions.

In a demonstrative example, the system may check whether: (a) a pair ofintra-account usage sessions that are associated with thelogin-credentials of Adam and Adam, is more similar to either: (i) pairsof intra-account usage sessions that are associated with the same logincredentials (e.g., a pair of David+David, a pair of Eve+Eve, a pair ofFrank+Frank, an average or other parameter computed over multiple suchpairs), or is more similar to: (ii) pairs of cross-account usagesessions that are associated with different login credentials (e.g., apair of David+Eve, a pair of David+Frank, a pair of Eve+Frank, anaverage or other parameter computed over multiple such pairs).

The system may thus be able to identify that a particularsubscription-account is utilized by two different human users, rather bythe same single human user; and may generate a suitable notification(e.g., a possible fraud notification; a notification to billingdepartment; a notification to cost-containment department).

The system may be able to identify that a particularsubscription-account is utilized by two different human users, rather bythe same single human user, without relying on (or without taking intoconsideration) the Internet Protocol (IP) address associated with eachusage session (or each purported user); without relying on (or withouttaking into consideration) the user-agent data associated with eachusage session (or each purported user); without relying on (or withouttaking into consideration) any “cookie” data or “cookie” file which maybe stored or used by the computerized service.

The system may be able to identify that a particularsubscription-account is utilized by two different human users, rather bythe same single human user, without necessarily building a long-termprofile (or any type of user-specific profile) for a particularsubscription account; or without having to utilize a “training period”in which the system “learns” the habits or the repeated habits ofparticular subscribers. The system may commence to detectshared-credentials or multi-users in the same subscription account,without constructing a user profile or a subscription-account profilethat spans (or that relies on) three or more usage sessions.

The system may utilize visible changes of the UI or GUI or the on-screenexperience, optionally utilizing gamification features (in whichfeatures or functions are presented in a manner similar to a game orpuzzle or similar online activity), in order to identify user(s) ordetect possible fraud. For example, a login process may be subject togamification by a gamification module, such that a user may be requiredto perform game-like operations (e.g., move or drag items, handle itemsrelative to a virtual on-screen “magnet” in a particular location on thescreen, complete an on-screen puzzle, rotate a spindle or on-screenwheels or handles of a virtual vault), and the user's reactions orbehavior or interactions may be utilized for identification orfraud-detection purposes.

Some embodiments of the invention may allow a unique way of two-factor(or two-step) authentication or log-in. For example, entry of usercredentials (e.g., username, and/or PIN or password or passphrase) maybe subject to gamification or may be implemented by utilizing a graphicuser interface (GUI) or on-screen interface in a way that captures orrecognizes user-specific traits through the way that the user utilizessuch interface for entering is credentials. Accordingly, the mere entryof credentials by the user, may be used as a two-factor authentication,such that entry of a correct PIN or password may serve as a firstfactor, and the way or pattern or behavioral traits or other-specifictraits of the way in which the user enters the PIN or password may serveas a second factor.

In a first example, the user may be required to enter a four-digit PIN.An on-screen keypad may be shown to the user, showing ten digits (from 0to 9), and showing four empty “slots” into which the user is requestedto “drag and drop” digits, one digit at a time. The user may drag thefour digits of his PIN, to the four respective slots, in the rightorder. If the four digits dragged match (in their right order) theuser's stored PIN, then a first factor of authentication is met. If theway in which the user drags-and-drops the digits onto the slots, matchespreviously-recorded information that indicates how the user typicallyperforms such GUI operation, then a second factor of authentication maybe met.

In a second example, alphabetical characters, or alpha-numericcharacters, or other characters, may be presented to the user as anon-screen keyboard, and the user may drag characters from it towardsslot(s) or a field into which the password or PIN is accumulated; andthe system may monitor and utilize both the correct entry of the PIN orpassword, as well as the manner in which the user utilizes the GUI toachieve such correct entry.

In a third example, as part of a user authentication process or a userlogin process, digits (or letters, or characters) are shown on rollerswhich may be similar to a slot-machine; and the user may need to shiftor turn or roll such rollers in order to reach a particular digit (orletter, or character) on each roller. The correctness of the PIN, aswell as the way in which the user utilizes the GUI to reach the correctPIN, may serve as two-factor authentication.

In a fourth example, the log-in process may include PIN entry as well asperforming a simple game-like operation, such as, correctly assembling apuzzle having few pieces (e.g., less than ten pieces). The way in whichthe user utilizes the GUI to assemble the puzzle, may be used as afactor in user authentication, in addition to the correct entry of thePIN or password value.

In some embodiments, the system may utilize a “training period” of, forexample, ten user-authentication sessions, in which the system maymonitor and track how the user utilizes the GUI to enter his PIN orpassword. For example, the system may observe and recognize that theuser typically drags a first digit of his PIN in a straight shortdiagonal line, then he drags a second digit of his PIN in a long curvedline, or the like, then he pauses a little longer before dragging thethird digit, and so forth. The system may generate a user-specificprofile that corresponds to such user-specific insights. Subsequently,when the user again logs-in, the system monitors the correctness of hisPIN as well as whether the manner in which the user enters his PINmatches his previously-generated profile of GUI utilization, as atwo-factor authentication scheme. In some embodiments, if the currentmanner of GUI utilization does not match the previously-determineduser-specific profile of GUI utilization, then the system may declarethat the user failed to authenticate, or that a possible fraud exists.

In some embodiments, the present invention may be used to facilitate aprocess of PIN-reset or password-reset. For example, a PIN-reset processmay require the user to enter his current PIN, both by entering thecorrect PIN value as well as (without the user necessarily knowing) inthe particular GUI-utilization manner that matches his user-specificprofile. If both factors are met, then PIN-reset may be enabled, withoutthe need to utilize a complex process in which the user is alsocontacted by phone or by email.

In some embodiments, a tolerance-for-mistakes modification module may beutilized to increase (or decrease, or modify) the system's tolerance formistakes (or failed attempts) made by the user in an authenticationprocess. For example, a demonstrative system may allow three consecutivefailed attempts in logging-in, and may then “lock” the account and mayrequire that the user (e.g., a bank customer) to call a customer servicenumber for further handling. However, if the present invention isutilized, some embodiments may recognize that although three failedlog-in attempts were performed, they were all performed in aGUI-utilization manner that closely matches the previously-storeduser-specific profile of GUI utilization; and therefore, the system maybecome more “forgiving” and may allow such user one more (or a few more)log-in attempts before “locking” the account or putting the process onhold.

In some embodiments, the system may periodically update theuser-specific GUI-utilization profile, based on the ongoing utilizationby the user. For example, the user may start utilizing the system onJanuary 1st, and the system may utilize ten log-in sessions, performedin January, for generating an initial user-specific profile of GUIutilization. The system may proceed to utilize the generated profile,during 25 subsequent log-in profiles of that user, in the months ofFebruary through June. The system may continue to update theuser-specific profile, based on log-in sessions as they take place.Optionally, the system may discard historic data of GUI-utilization(e.g., in a First-In-First-Out (FIFO) order), since, for example, a usermay change the way he utilizes the GUI over time, due to learning thesystem better, becoming more familiar with the system, getting older inage, or the like. In some embodiments, the system may continuouslyupdate the user-specific profile of GUI utilization.

Some embodiments may generate and utilize a login process which maycomprise one or more challenges to the user, that the user may not beaware of, or that the user may perform without being aware that thesystem is checking additional parameters about the user (other than theuser's credentials, e.g., username and password).

In a first demonstrative example, a Visual Login module may generate anddisplay an on-screen user interface which requires the user to performon-screen operations in order to log-in to a service, such that theon-screen operations to be performed by the user may require the user toperform input-unit interactions (e.g., mouse-clicks, mouse movement,keystrokes, or the like) that may be monitored by the system, and suchthat user-specific traits may be extracted from such input-userinteractions, with or without introducing (or injecting) an interferenceto the on-screen log-in process or to the user experience of the visuallogin process.

In a more particular example, the Visual Login module may present anon-screen interface showing an on-screen keypad (or keyboard) and a“target” zone (or field, or area); and the user may be requested todrag-and-drop digits (or letters, or character), one by one, in theircorrect order, from the on-screen keypad (or keyboard) to the targetzone, thereby filling-in the user's credentials (e.g., username,password, PIN, or the like). The system may monitor the way that theuser drags-and-drops the on-screen items (e.g., digits, letters,characters) from the on-screen keypad (or keyboard) to the on-screentarget zone; and may extract user-specific traits from suchinteractions. For example, a first user may drag a particular digit(e.g., the first digit in his PIN; or the digit “4”) in a straight orgenerally-straight line, whereas a second user may drag that particulardigit in a curved line, or in a line having certain attributes (e.g.,counter-clockwise direction), or the like. The system may store, in auser's profile or record, data indicating the user-specific trait thatwas extracted from those interactions; as well as other suitableparameters which may be extracted or computed based on the sampling ofthe input-device interactions during such Visible Login process (e.g.,average time or speed associated with the login process; indicativepauses between entry of particular characters, or before or afterentering a particular character; or the like). In a subsequent loginprocess, the extracted user-specific traits may be utilized fordifferentiating or distinguishing between a first user and a seconduser; or between a genuine (legitimate) user and a fraudster (orunauthorized user).

In another example, the Visual Login module may operate in conjunctionwith one or more interference(s), which may be introduced or injected tothe visual login process. For example, the Visual Login module mayintroduce a randomly-selected interference (e.g., selectedpseudo-randomly from a pool of several or numerous pre-defined types ofinterferences), or may introduce a pre-defined interference or set ofinterferences. For example, when the user drags the second characterfrom the on-screen keypad to the on-screen target zone, the on-screendragged character may suddenly appear to be “stuck” for three seconds,or may appear to “jump” 200 pixels to the left side of its currentlocation; and the system may monitor the user's reaction to suchinterference(s), e.g., how long it takes the user to notice theinterference and/or to take corrective actions, which type of correctiveaction the user takes (e.g., shaking the mouse unit sideways, orspinning the mouse-device clockwise, or clicking the mouse severaltimes), and/or other attributes or parameters of the specific correctiveaction (e.g., if the user shakes his mouse unit, for how many times isit shaken, or the direction of shaking, or the direction of rotation, orthe like). In a subsequent login process, the extracted user-specifictraits may be utilized for differentiating or distinguishing between afirst user and a second user; or between a genuine (legitimate) user anda fraudster (or unauthorized user); for example, by injecting the sametype of interference to the accessing user, and by monitoring whether ornot the current user's reaction to the interference matches thepreviously-extracted user-specific traits.

Some embodiments may utilize other types of on-screen visual loginprocess, which may not necessarily involve drag-and-drop operations. Forexample, an on-screen “vault” may be displayed to the user, with wheelsor bolts or cylinders that the user may be required to spin or to rotate(e.g., with one or two or three fingers on a touch-screen), in order toenter a combination which corresponds to the user's PIN. Other types ofchallenges may be used, optionally having game elements or game-likeelements, and optionally hiding from the user the fact that the systemmay implicitly track user-specific patterns of interactions as part ofauthenticating the user.

Some embodiments may thus allow or enable the system to perform animplicit Two-Factor Authentication (TFA) process (or two-stepauthentication process), without the explicit knowledge of the user. Forexample, the implicit TFA process may combine a first factor (“somethingyou know”) with a second factor (“something you have”), such that, forexample, the first factor may be the user's knowledge of his PIN orpassword (e.g., the entered password or PIN matches thepreviously-defined PIN or password of that user); and the second factormay be the user's particular way of handling of the input-unit, eitheras general handling, or as a particular handling in response to aninterference injected to the login process. The system may thusimplement TFA without requiring the user, for example, to utilize atoken device for generating a one-time password, or without requiringthe user to receive a one-time password via text message or emailmessage or voice message; and without even the actual knowledge of someusers that the authentication process is actually an implicit TFAprocess.

In some embodiments, the visual login (or visible login) process may beimplemented by utilizing one or more of the following:

(1) Drag-and-drop of digits or letters or characters, from an on-screenkeypad or keyboard, to an on-screen target zone, while monitoringuser-specific interaction patterns, without injecting a user-interfaceinterference, and/or in response to an injected user-interfaceinterference.

(2) Rotating or spinning of on-screen “vault” elements or cylinders inorder to enter a PIN, while monitoring user-specific interactionpatterns, without injecting a user-interface interference, and/or inresponse to an injected user-interface interference. The system maymonitor one or more attributes of the input-user interactions, or of theuser interactions, in order to extract or construct a user-specificpattern or model or profile; for example, reflecting or correspondingto: (a) whether the user rotates a cylinder clockwise orcounter-clockwise; (b) whether the user utilizes one finger, or twofingers, or three fingers, in order to perform a rotation operation; (c)whether the user typically uses a top-area (or a bottom-area, or aright-area, or a left-area) of the cylinder in order to perform therotation, or two particular (e.g., opposite) areas of the cylinder inorder to perform the rotation; (d) the arrangement, distance and/orspacing between two or more fingers that the user utilizes for rotatingthe cylinder (e.g., measured via on-screen pixels distance betweenpoints of touching the touch-screen); (e) relative movement of eachfinger that is used for rotation, since not all fingers may moveuniformly or at the same speed or to the same direction; (f) time-lengthor duration that it takes the user to perform a rotation; (g) whetherthe user typically performs one long rotation movement, or performsmultiple shorter rotation movement, in order to achieve a rotationresult of a particular type (e.g., a rotation result that requiresrotation by at least 180 degrees); or the like. Optionally, one or moreuser-interface interferences or abnormalities may be injected orintroduced; for example, causing an on-screen cylinder to become “stuck”or non-responsive for a pre-defined period of time (e.g., five seconds),causing an on-screen cylinder to rotate faster or slower relative to therotation of the fingers of the user or to continue rotating after theuser stopped his rotating gesture); and a user-specific profile orpattern may be extracted, based on the user's reactions to suchinterference. In a subsequent usage session or log-in session, animplicit TFA process may thus be able to verify that both: (a) the userknows and enters the correct credentials, and (b) the user enters thecredentials in a manual manner that corresponds to (or matches) theuser-specific profile that indicates how this user has previouslyreacted to such interference.

(3) Entering user credentials (e.g., username, password, PIN, or thelike), optionally by utilizing the on-screen interface mentioned in (1)above, while de-activating the Enter (or Return) key on the keyboard,thereby requiring the user to click or tap on an on-screen “submit”button (since the Enter or Return key is non-responsive), and whileintroducing an interference or abnormality to the on-screen “submit”button (e.g., the on-screen “submit” button is non-responsive for apredefined time period, or the on-screen “submit” button isnon-responsive for a pre-defined number of clicks, or the on-screen“submit” button is being moved sideways upon approach of the user'spointer; and while monitoring user-specific interaction patterns;thereby allowing the system to perform implicit TFA, by examiningwhether the user knows the corrected credentials (e.g., password orPIN), and also, whether the user's input-unit interactions (in responseto the injected user-interface interference) match the previoususer-specific pattern or profile or reaction to such interference.

(4) Presenting an on-screen collection of items (e.g., ten images ofvarious objects or animals); and requesting the user to drag-and-drop,on the screen, one particular item from the collection, based on verbalor textual description that the user has to comprehend in order to matchwith the correct image; such as, “please drag the image of a Dog to thetarget zone”, or “please drag the image that shows a Fruit to the targetzone”. While the user performs the drag-and-drop operation, the systemmay introduce a user-interface interference (e.g., the dragged itemsuddenly deviates sideways, or suddenly freezes or appears to be“stuck”), and the system may monitor the user's reaction orcorrective-action to such interference. Subsequently, such login processmay be utilized to verify that the person is human (since he needs tocomprehend and process the textual request with the instruction in orderto decide which on-screen item to drag from the collection) and that thehuman user is the genuine user (e.g., who previously logged-in to theservice) based on matching of the user's reaction to the interferencewith a user-specific profile or pattern of reactions to suchinterference in previous usage sessions.

(5) Adding or introducing, intentionally, a delay or time-gap (which maybe constant, or pseudo-random within a particular range of values),between: (a) the pressing or tapping or clicking of a character that theuser clicks or taps or presses, as part of entering user credentials;and (b) the appearance of the character on the screen (or, theappearance of an additional “*” or “x” character which indicates that apassword is being entered); while measuring the user-specific reactionor pattern-of-reactions to such injected delay or time-gap; andutilizing the user-specific pattern or profile of reactions as a means(or as additional means) in subsequent log-in sessions, or to detectfraudulent users, or to differentiate between users.

(6) Presenting an on-screen puzzle (e.g., a simple jigsaw puzzle) thatthe user has to solve or complete, by using drag-and-drop operations;monitoring and capturing user-specific cognitive choices (e.g., whetherthe user typically drags a right-side of the puzzle into the left-side,or whether the user typically drags the left-side of the puzzle into theright side; whether the user solves the puzzle in particular direction,or clockwise, or counter-clockwise, or in a sequence such that eachselected piece is the closest to the previously-dragged piece); andoptionally by introducing a user-interface interference to the processof solving the puzzle (e.g., a puzzle piece appears to be non-responsiveor stuck for a pre-defined time period; a puzzle piece deviates orshifts away from the dragging-route that the user commanded with hisgestures), and monitoring the user's reactions to such interference inorder to extract a user-specific pattern or profile, which may then beused for user authentication or user differentiation purposes.

Optionally, the system may comprise a stochastic cryptography module,able to utilize stochastic cryptology and/or stochastic cryptography forvarious purposes such as remote access. For example, the stochasticcryptography module may utilize cognitive aberrations or interruptionsor interferences in order to monitor and utilize the response orreaction of the user for cryptographic tasks or cryptographic-relatedtasks (e.g., encryption, decryption, hashing, digital signing,authorizing, verification, or the like). The human user may be subjectedto an aberration or interference (which may be selected by the systempseudo-randomly from a pool of pre-defined types of interferences), andthus may produce a reaction which may be user-specific and have somenon-predictable properties (e.g., since each user reacts differently toeach interference, and since the particular interference is selectedpseudo-randomly from a pool of possible interference types)

In a demonstrative embodiment, the system may monitor the manner inwhich a user reacts to a user interface interference, that is selectedby the system from a pool of pre-defined types of interferences; forexample, an interference in which the on-screen pointer appears to be“stuck” or non-responsive; an interference in which the on-screenpointer disappears for a pre-defined time period; an interference inwhich the on-screen pointer moves erratically, or moves in a manner thatis not identical to the route of the movement of the input unit. Theuser reaction, or the corrective action by the user in response to suchinterference, may be monitored and analyzed by the system, and auser-specific reaction model may be extracted, on a per-userper-interference-type basis. This user-specific interference-specificreaction model may be used as a parameter known by the system in orderto implement an algorithm (e.g., encryption, decryption) that utilizesstochastic cryptography or probabilistic cryptography.

For example, if a user requests to encrypt a document or file or digitalasset or digital content item, then the encryption key (or theencryption algorithm) may utilize a user-specific parameter that hasbeen previously extracted by the system by monitoring the user'sreaction to a specific interference-type (e.g., as one of the multipliernumbers in establishing a unique product-of-multiplication number whichmay be used as encryption key). Similarly, in order to decrypt such anencrypted document or file or digital asset, then the system mayintroduce to the user an interference of the type of interferences thathad been used to generate a key in the encryption process; may monitorthe user's reaction to the interference; and may extract a user-specificparameter from the monitored user-specific reaction, which may then beused as part of the decryption process (and may be required forsuccessful decryption). In some implementations, theencryption/decryption (or other cryptographic) algorithm may bestochastic or probabilistic, as it may sometimes fail to perform thecryptographic operation since the user's reaction to an interference ina particular instance may not be exactly identical to the user'sprevious reactions (which had been used in the encryption process);however, such errors may be estimated in advance and/or may beminimized, by taking into account probabilistic consideration.

For example, if it is estimated or observed that one-out-of-four timesthe user's reaction may not match a previously-calculated model ofreaction to interference, then, in one-out-of-four attempts to accessthe encrypted data, the user may fail even though the user was thegenuine user; however, the system may request the user to “try again”,by introducing to the interface a same-type interference (e.g., the sameinterference-type, but the interference being of a differentorder-of-magnitude or scale), and upon such “further attempt” by theuser, the system may extract a user-reaction which corresponds to thepreviously-calculated model, which had been used as a parameter in theencryption process.

In some embodiments, the stochastic encryption process may beimplemented as follows. Initially, an enrollment phase or initiationstage may be performed, in order to monitor and measure the reaction(s)of a particular user to a variety of interferences that are presented tothe user, one interference at a time, from a pre-defined pool ofpossible interferences (e.g., the pool having 5 or 15 or 60 or 100 or250 or 500 or 800 such interferences, or interference-types, orapproximately 200 to 900 interferences, or approximately 400 to 600interferences). Then, the system may generate a user-specific model orprofile, which indicates how the particular user reacts tointerference(s) in general (“user-specific general reaction model”),and/or how the particular user reacts to a particular interference (toseveral particular interferences) in particular (“user-specificparticular reaction model”).

Subsequently, after the user-specific general reaction model isestablished, the system may utilize the user-specific general reactionmodel (or, one or more values of parameters of the user-specific generalreaction model) as a parameter for encryption (e.g., for generating anencryption key, or for generating a private encryption key, or otherwiseas part of an encryption algorithm. From that time-point and onward, theuser-specific general reaction model (and/or any of its parameters) arenot transferred, are not transmitted, and are not communicated among anytwo or more devices or units or entities. This may be in contrast with,for example, a process that utilizes a user's fingerprint as a parameterfor encryption; which subsequently requires the user to provide hiscurrent fingerprint every time that the user desires to access ordecrypt such encrypted content.

Subsequently, in order to decrypt the encrypted content, the system maypresent to the user an “invisible challenge”, namely, an implicitchallenge that the user may respond to without even knowing that achallenge-response process is taking place; and in each decryptionrequest (or decryption attempt) that the use initiates, the system maypresent to the user a different type of invisible challenge from thepool of interferences that had been used by the system in order to buildthe user-specific general reaction model of that user; optionally byusing or re-using a particular interference (or type of interference)while modifying or increasing or decreasing the scale or theorder-of-magnitude of the interference or of one or more parameters ofthat interference or interference-type. Accordingly, the decryptionprocess requires the user to react to a single particular interferenceout of the set of interferences that were used for generating theuser-specific general reaction model; and the decryption processmonitors and measures the user's reaction to the single, presented,interference.

Therefore, an attacker or a “listening hacker” that monitors thecommunication channel during an encryption request, or during multiple(series of) encryption requests, can see one single interference at atime, and one single user-specific reaction at a time to the presentedsingle interference. Accordingly, such listening attacker may not beable to reverse-engineer or to estimate the user-specific generalreaction model, which was computed based on numerous differentinterferences presented in series, and which was the basis forgenerating the encryption key or for generating encryption-relatedparameters. Optionally, in order to further burden a potential attacker,the original pool of possible interference may comprise hundreds or eventhousands of various different interferences and/or interference-types,having various scales or orders-of-magnitude.

As a further clarification, the encryption process may be regarded as aprocess that generates and utilize a “generator function” able togenerate random or pseudo-random numbers. The generator function existson both sides; namely, e.g., on the system's stochastic encryptionmodule which monitored and generated the user-specific general reactionmodel; and at the genuine user's side because the genuine user is ableto react “correctly” to each particular interference, similarly to hispreviously-monitored reactions to such interference. The generatorfunction is able to generate a similar (or identical) sequence or seriesof random (or pseudo-random) numbers, which are then used as a parameterfor encryption; whereas, each decryption operation requires only oneparticular number from the series of random numbers that were used forthe encryption. Accordingly, a listening attacker may be able toobserve, at most, random values transmitted from the genuine user's sideto the server, and may not be able to reverse-engineer or to estimate orto guess the “generator function” itself, and may not be able to predictor to guess or to estimate the next particular number that might be usedin a subsequent decryption request. The generator function (which isused for encryption) may correspond to the user-specific generalreaction model; whereas, the particular number for a particulardecryption operation may correspond to the particular reaction of thespecific user to a particular interference (out of a large set ofinterferences that had been used in order to generate the user-specificgeneral reaction model for encryption purposes).

The present invention may thus provide various advantages and/orbenefits, for cryptographic purposes. For example, a deterministicgenerator function might be subject to reverse-engineering orestimation, if an attacker listens to (or intercepts) asufficiently-large number of random numbers generated by thedeterministic generator function; whereas, the stochastic generatorfunction of the present invention, which is based on the user-specificgeneral reaction model, may not be reverse-engineered or estimated evenif the attacker listens to a large number of values transmitted in aseries of decryption requests; and the stochastic generator function maynot be easily reverse-engineered or estimated since it is not based on adeterministic mathematical function.

Additionally or alternatively, each decryption attempt, in accordancewith the present invention, requires an actual hands-on interaction ofthe user (or the attacker) with an input unit; thereby heavily burdeningany attempt to implement a brute-force attack, or rendering such attacknon-cost-effective, or requiring manual interaction for such brute-forceattack, or requiring a significant amount of time for such brute-forceattack; for example, since an attacker may not be able to merelyautomatically transmit a sequence of numbers (or values) withoutperforming the hands-on manual human interaction that requires time forperformance by the genuine user.

It is clarified that in some implementations, the stochasticencryption/decryption process may trigger “false positive” errors; suchthat, for example, a genuine user may not be able to decrypt hisencrypted file (or content, or digital asset) even though the genuineuser has reacted “correctly” to the specific invisible challenge (orinterference) presented to him; and thus, two or more “correct” attempts(of reaction to interference) may sometimes be required, in order toallow a genuine user to decrypt his encrypted content. As describedabove, a deterministic or mathematic generator function always producesthe same random numbers on both sides; whereas, the stochasticcryptography of the present invention may sometimes generatenon-identical random numbers on both sides, since one side (the server'sside) utilizes the previously-computed user-specific general reactionmodel, whereas the other side (the genuine user's side) utilizes theactual current reaction of the specific user, which may sometime deviatefrom the user's previous reactions that were used for generating theuser-specific general reaction model.

It is clarified that terms such as, for example, “interference”, “userinterface interference”, “input unit interference”, “UI interference”,“GUI interference”, “UI element interference”, “on-screen interference”,“input process interference”, “visual interference”, “visibleinterference”, “aberration”, “perturbation”, “abnormality”, “anomaly”,“irregularity”, “perceived malfunction”, “temporary malfunction”,“invisible challenge”, “hidden challenge”, or other similar terms, maybe used interchangeably; and may refer to one or more processes oroperations in which an irregularity is introduced or generated orinjected into a user-interface or is burdening or altering or modifyinguser interactions, or is generated in order to induce or elicit reactionor reactive action or corrective action in response to suchinterference(s); or a combination of two or more such interferences,introduced in series or in parallel or simultaneously, over one or moreUI element(s) or GUI elements.

In some embodiments, a mood estimator may continuously identify orestimate the mood or feelings of the user (e.g., a customer thatutilizes an electronic device), when the user utilizes a website or anapplication. This may be used in order to adjust or modify or tailormessages (e.g., advertisements, proposals, promotions, businessofferings) to the user. The system may inject cognitive aberrations orinterferences to the interaction between the user and the application orwebsite; and may monitor and measure the reaction of the user. The moodestimator 261 may compare between the current specific reaction of theuser, and a historic profile of the user; and may identify parameters,for example, level of concentration or focusing, response speed, mannerof reaction, or the like; thereby allowing a marketing/sales module orsub-system (which may be associated with the website or application) tofurther analyze the purchase-related and/or viewing-related (orbrowsing-related) behavior of the user by utilizing such parameters, inorder to tailor or modify marketing proposals or other contentdisplayed, to the particular cognitive state of the user as estimated atthat time based on the user's reactions to injected interferences.

Some embodiments may identify or detect a remote access attacker, or anattacker or a user that utilizes a remote access channel to access (orto attack, or to compromise) a computerized service.

In some embodiments, a method comprises: determining whether a user, whoutilizes a computing device to interact with a computerized service, (i)is co-located physically near said computing device, or (ii) is locatedremotely from said computing device and controlling remotely saidcomputer device via a remote access channel; wherein the determiningcomprises: (a) injecting, to a user interface of said computerizedservice, an interference which affects differently local users andremote users; (b) monitoring interactions of the user with an inputunit, in response to said interference; (c) based on said monitoring,determining whether said user (i) is co-located physically at saidcomputing device, or (ii) is located remotely from said computing deviceand controlling remotely said computing device via said remote accesschannel.

In some embodiments, the determining of step (c) is based on a latencybetween (A) the injecting of said interference, and (B) the input unitinteractions of said user in response to said interference.

In some embodiments, the determining of step (c) is based on a type ofreaction of said user to the injecting of said interference.

In some embodiments, the method comprises: hiding a mouse-pointer on ascreen of said computerized service; monitoring input unit reactions ofsaid user in response to the hiding of the mouse-pointer; based on theinput unit reactions of said user in response to the hiding of themouse-pointer, determining whether said user is (i) co-locatedphysically at said computing device, or (ii) is located remotely fromsaid computing device and controlling remotely said computing device viasaid remote access channel.

In some embodiments, the method comprises: replacing an originalmouse-pointer on a screen of said computerized service, with a fakemouse-pointer deviated from a location of said original mouse-pointer;monitoring input unit interactions of said user when the fakemouse-pointer is displayed on said computing device that is accessingsaid computerized service; based on the input unit interactions with thefake mouse-pointer, determining whether said user is (i) co-locatedphysically at said computing device, or (ii) is located remotely fromsaid computing device and controlling remotely said computing device viasaid remote access channel.

In some embodiments, the method comprises: sampling multipleinteractions of said user with said input unit; based on a frequency ofsaid sampling, determining whether said user is (i) co-locatedphysically at said computing device, or (ii) is located remotely fromsaid computing device and controlling remotely said computing device viasaid remote access channel.

In some embodiments, the method comprises: sampling multipleinteractions of said user with said input unit; based on a level ofnoise in said sampling, determining whether said user is (i) co-locatedphysically at said computing device, or (ii) is located remotely fromsaid computing device and controlling remotely said computing device viasaid remote access channel.

In some embodiments, the method comprises: sampling multipleinteractions of said user with a computer mouse; if said samplingindicates generally-smooth movement of the computer mouse, then,determining that said user is co-located physically near said computingdevice.

In some embodiments, the method comprises: sampling multipleinteractions of said user with a computer mouse; if said samplingindicates generally-rough movement of the computer mouse, then,determining that said user is located remotely from said computingdevice and controlling remotely said computing device via said remoteaccess channel.

In some embodiments, the method comprises: sampling multipleinteractions of said user with a computer mouse; if said samplingindicates generally-linear movement of the computer mouse, then,determining that said user is located remotely from said computingdevice and controlling remotely said computing device via said remoteaccess channel.

In some embodiments, the method comprises: sampling multipleinteractions of said user with a computer mouse; if said samplingindicates sharp-turn movements of the computer mouse, then, determiningthat said user is located remotely from said computing device andcontrolling remotely said computing device via said remote accesschannel.

In some embodiments, the method comprises: sampling multipleinteractions of said user with said input unit; if a frequency of saidmultiple interactions is below a pre-defined threshold, then,determining that said user is located remotely from said computingdevice and controlling remotely said computing device via said remoteaccess channel; if the frequency of said multiple interactions is abovethe pre-defined threshold, then, determining that said user isco-located physically near said computing device.

In some embodiments, the method comprises: overloading one or moreresources of the computing device which is used for accessing saidcomputerized service; measuring an effect of said overloading onfrequency of sampling user interactions via an input unit; based on themeasured effect of said overloading, determining whether said user is(i) co-located physically at said computing device, or (ii) is locatedremotely from said computing device and controlling remotely saidcomputing device via said remote access channel.

In some embodiments, the method comprises: overloading a data transfercommunication channel of the computing device that is used for accessingsaid computerized service; measuring an effect of said overloading onfrequency of sampling user interactions via an input unit; based on themeasured effect of said overloading, determining whether said user is(i) co-located physically at said computing device, or (ii) is locatedremotely from said computing device and controlling remotely saidcomputing device via said remote access channel.

In some embodiments, the method comprises: overloading a screen displayof the computing device that is used for accessing said computerizedservice; measuring an effect of said overloading on frequency ofsampling user interactions via an input unit; based on the measuredeffect of said overloading, determining whether said user is (i)co-located physically at said computing device, or (ii) is locatedremotely from said computing device and controlling remotely saidcomputing device via said remote access channel.

In some embodiments, the method comprises: displaying an instantaneouspriming message on a screen of the computing device that is utilized foraccessing said computerized service; measuring an effect of theinstantaneous priming message on sampled user interactions via an inputunit; based on the measured effect of said instantaneous primingmessage, determining whether said user is (i) co-located physically atsaid computing device, or (ii) is located remotely from said computingdevice and controlling remotely said computing device via said remoteaccess channel.

In some embodiments, the method comprises: injecting, into a log-inscreen of the computerized service, a user interface interference thatcauses non-remote users to perform corrective mouse gestures;immediately after a log-in into the computerized service, displaying asubsequent screen of the computerized service without said userinterface interference; monitoring mouse gestures of the user in thesubsequent screen; if the monitored mouse gestures in the subsequentscreen comprise corrective mouse gestures, then, determining that a userof the subsequent screen is a local user located physically at thecomputing device; if the monitored mouse gestures in said subsequentscreen lacks corrective mouse gestures, then, determining that a user ofthe subsequent screen is located remotely from said computing device andcontrolling remotely said computing device via said remote accesschannel.

In some embodiments, the method comprises: sampling user interactionswith an input unit of said computing device; based on said sampling,determining that said user is utilizing a first set of hardwarecomponents which is capable of sampling the input unit at a firstfrequency; subsequently, (A) sampling additional, subsequent userinteractions; (B) determining that a second, lower, frequencycharacterizes said subsequent sampling; (C) determining that a second,different, set of hardware components is being used; (D) determiningthat a non-authorized person is accessing said computerized service.

In some embodiments, the method comprises: sampling user interactionswith an input unit of a mobile computing device; analyzing temporalrelationship between touch and accelerometer events of sampled userinteractions with said input unit of the mobile computing device; basedon analysis of temporal relationship between touch and accelerometerevents, of sampled user interactions with said input unit of the mobilecomputing device, determining whether the said mobile computing deviceis controlled remotely via said remote access channel.

In some embodiments, the method comprises: sampling user interactionswith an input unit of a mobile computing device; analyzing temporalrelationship between touch movement events and accelerometer events, ofsampled user interactions with said input unit of the mobile computingdevice; based on analysis of temporal relationship between touchmovement event and accelerometer events, of sampled user interactionswith said input unit of the mobile computing device, determining whetherthe said mobile computing device is controlled remotely via said remoteaccess channel.

In some embodiments, the method comprises: (A) sampling touch-basedgestures of a touch-screen of a mobile computing device; (B) samplingaccelerometer data of said mobile computing device, during a time periodwhich at least partially overlaps said sampling of touch-based gesturesof the touch-screen of the mobile computing device; (C) based on amismatch between (i) sampled touch-based gestures, and (ii) sampledaccelerometer data, determining that the mobile computing device wascontrolled remotely via said remote access channel.

In some embodiments, the method comprises: (A) sampling touch-basedgestures of a touch-screen of a mobile computing device; (B) samplingaccelerometer data of said mobile computing device, during a time periodwhich at least partially overlaps said sampling of touch-based gesturesof the touch-screen of the mobile computing device; (C) determining thatsampled touch-based gestures indicate that a user operated the mobilecomputing device at a particular time-slot; (D) determining that thesampled accelerometer data indicate that the mobile computing device wasnot moved during said particular time-slot; (E) based on the determiningof step (C) and the determining of step (D), determining that the mobilecomputing device was controlled remotely via said remote access channelduring said particular time-slot.

In some embodiments, a comprises: a user identity determination moduleto determine whether a user, who utilizes a computing device to interactwith a computerized service, is either (i) co-located physically nearsaid computing device, or (ii) located remotely from said computingdevice and is controlling remotely said computer device via a remoteaccess channel; wherein the user identity determination module is: (a)to inject, to a user interface of said computerized service, aninterference which affects differently local users and remote users; (b)to monitor interactions of the user with an input unit, in response tosaid interference; (c) based on the monitored interactions, to determinewhether said user (i) is co-located physically at said computing device,or (ii) is located remotely from said computing device and controllingremotely said computing device via said remote access channel.

In some embodiments, the user identity determination module is todetermine in step (c), based on a latency between (A) injection of saidinterference, and (B) the input unit interactions of said user inresponse to said interference.

In some embodiments, the user identity determination module is todetermine in step (c), based on a type of reaction of said user to theinjecting of said interference.

Some embodiments may detect a malicious automatic script, and/or maydetect malicious code injection (e.g., malicious HTML code injection).

In some embodiments, a method comprises: determining whether a user, whoutilizes a computing device to interact with a computerized service, (i)is a human user, or (ii) is an automatic script executed by a processor;wherein the determining comprises: (a) monitoring user-side input-unitinteractions performed through one or more input units; (b) matchingbetween (A) the user-side input-unit interactions and (B) data sentelectronically from said computerized service; (c) if the comparingresult is that (A) the user-side input-unit interactions do not exactlymatch (B) the data sent electronically from said computerized service,then determining that the computing device is operated by automaticscript executed by said processor.

In some embodiments, the method comprises: based on the monitoring ofthe user-side input-unit interactions, detecting absence of anyuser-side input-unit interactions within a pre-defined time periodduring which the computing device transmitted data to the computerizedservice; based on detecting absence of any user-side input-unitinteractions within said pre-defined time period, determining whetherthe computing device is operated by automatic script executed by saidprocessor.

In some embodiments, the method comprises: based on the monitoring ofthe user-side input-unit interactions, detecting a number of keystrokesentered via a keyboard within a pre-defined time period during which thecomputing device transmitted data to the computerized service;determining a total number of keystrokes that a human is expected tomanually enter in order to cause the computing device to transmit saiddata to the computerized service; based on matching between (A) thenumber of keystrokes entered via the keyboard, and (B) the total numberof keystrokes that the human is expected to manually enter, determiningwhether the computing device is operated by automatic script executed bysaid processor.

In some embodiments, the method comprises: based on the monitoring ofthe user-side input-unit interactions, determining that keystrokesentered via a keyboard, within a pre-defined time period during whichthe computing device transmitted data to the computerized service,correspond to: (a) a first batch of keystrokes having a firstkeystrokes-length; and (b) a second batch of keystrokes having a secondkeystrokes-length; determining that the data transmitted from thecomputing device to the computerized service corresponds to: (A) a firststring having a first string-length; and (B) a second string having asecond string-length; based on matching between the firstkeystrokes-length and the first string-length, determining whether thecomputing device is operated by automatic script executed by saidprocessor.

In some embodiments, the method comprises: based on the monitoring ofuser-side input-unit interactions, determining that keystrokes enteredvia a keyboard, within a pre-defined time period during which thecomputing device transmitted data to the computerized service,correspond to: (a) a first batch of keystrokes having a firstkeystrokes-length; and (b) a second batch of keystrokes having a secondkeystrokes-length; determining that the data transmitted from thecomputing device to the computerized service corresponds to: (A) a firststring having a first string-length; and (B) a second string having asecond string-length; wherein a total of the first and secondkeystrokes-length, is equal to a total of the first and second stringlengths; based on matching between the first keystrokes-length and thefirst string-length, determining whether the computing device isoperated by automatic script executed by said processor.

In some embodiments, the method comprises: monitoring time-intervalsamong the user-side input-unit interactions; based on saidtime-intervals among the user-side input-unit interactions beingconstant, determining that the computing device is operated by anautomatic script executed by said processor.

In some embodiments, the method comprises: monitoring time-intervalsamong the user-side input-unit interactions; modeling human user'stime-intervals among the user-side input-unit interactions; based oncomparing between (A) said monitored time-intervals among the user-sideinput-unit interactions and (B) said modeled human user's time-intervalsamong the user-side input-unit interactions, determining whether thecomputing device is operated by an automatic script executed by saidprocessor.

In some embodiments, the method comprises: monitoring time-gaps amongthe user-side input-unit interactions; determining distribution of saidtime-gaps among the user-side input-unit interactions; if saiddistribution corresponds to a pseudo-random distribution, thendetermining that the computing device is operated by automatic scriptexecuted by said processor.

In some embodiments, the method comprises: monitoring time-gaps amongthe user-side input-unit interactions; storing in a database a userprofile indicating that a particular human user typically types at aparticular temporal pattern of typing when interacting with saidcomputerizes service; subsequently, determining whether a currenttemporal pattern of typing, reflected in a current usage session of saidcomputing device for interacting with said computerized service, isdifferent by at least a threshold percentage from said particulartemporal pattern of typing stored in said user profile; based on saiddetermining, further determining whether the computing device isoperated by automatic script executed by said processor.

In some embodiments, the method comprises: monitoring time-gaps amongthe user-side input-unit interactions; storing in a database a userprofile indicating that a particular human user typically types aparticular sequence of multiple characters in a specific temporalpattern; subsequently, monitoring keystrokes of current user-sideinput-unit interactions; determining whether the current user-sideinput-unit interactions, comprise typing of said particular sequence ofmultiple characters, but do not comprise rapid typing of said particularsequence of multiple characters; based on said determining, furtherdetermining whether the computing device is operated by automatic scriptexecuted by said processor.

In some embodiments, the method comprises: computing a first checksum ofdata entered manually via a keyboard of said computing device; receivingfrom said computerized service a second checksum of user-provided datawhich was transmitted from the computing device to the computerizedservice; matching between (A) the first checksum of data enteredmanually via the keyboard of said computing device, and (B) the secondchecksum of user-provided data which was transmitted from the computingdevice to the computerized service; based on said matching of said firstand second checksums, determining whether the computing device isoperated by automatic script executed by said processor.

In some embodiments, the method comprises: computing a first checksum ofdata entered manually via a keyboard of said computing device; receivingfrom said computerized service a second checksum of user-provided datawhich was transmitted from the computing device to the computerizedservice; matching between (A) the first checksum of data enteredmanually via the keyboard of said computing device, and (B) the secondchecksum of user-provided data which was transmitted from the computingdevice to the computerized service; based on said matching of said firstand second checksums, determining whether the computing device isoperated by automatic script executed by said processor; wherein saiddetermining is performed without receiving from said computerizedservice a copy of said user-provided data which was transmitted from thecomputing device to the computerized service.

In some embodiments, the method comprises: computing a first hashingresult of data entered manually via a keyboard of said computing device;receiving from said computerized service a second hashing result ofuser-provided data which was transmitted from the computing device tothe computerized service; matching between (A) the first hashing resultof data entered manually via the keyboard of said computing device, and(B) the second hashing result of user-provided data which wastransmitted from the computing device to the computerized service; basedon said matching of said first and second hashing results, determiningwhether the computing device is operated by automatic script executed bysaid processor.

In some embodiments, the method comprises: computing a first hashingresult of data entered manually via a keyboard of said computing device;receiving from said computerized service a second hashing result ofuser-provided data which was transmitted from the computing device tothe computerized service; matching between (A) the first hashing resultof data entered manually via the keyboard of said computing device, and(B) the second hashing result of user-provided data which wastransmitted from the computing device to the computerized service; basedon said matching of said first and second hashing results, determiningwhether the computing device is operated by automatic script executed bysaid processor; wherein said determining is performed without receivingfrom said computerized service of a copy of said user-provided datawhich was transmitted from the computing device to the computerizedservice.

In some embodiments, the method comprises: comparing (A) meta-data aboutthe user-side input-unit interactions, with (B) meta-data about the datasent electronically from said computing device to said computerizedservice; wherein the method is performed without receiving from saidcomputerized service a copy of the data sent electronically from saidcomputing device to said computerized service; matching (A) themeta-data about the user-side input-unit interactions, with (B) themeta-data about the data sent electronically from said computing deviceto said computerized service; based on said matching, determiningwhether the computing device is operated by automatic script executed bysaid processor.

In some embodiments, the method comprises: determining that thecomputing device is infected by a code injector malware, by performing:detecting a mismatch between (A) a total number of data fields that thecomputing device transmitted to said computerized service, and (B) atotal number of data fields that the user of the computing devicefilled-out manually via a keyboard of said computing device.

In some embodiments, the method comprises: determining that thecomputing device is infected by a code injector malware, by performing:detecting a mismatch between (A) a total number of data fields that thecomputing device transmitted to said computerized service, and (B) atotal number of strings that the user of the computing device typedmanually via a keyboard of said computing device.

In some embodiments, the method comprises: determining that thecomputing device is infected by a code injector malware, by performing:(a) receiving from said computerized service, meta-data about a numberof filled-out fields that the computerized service receivedelectronically from said computing device; (b) based on monitoreduser-side input-unit interactions, that were manually performed via akeyboard of said computing device, calculating meta-data about a numberof filled-out fields that were manually filled-out via said keyboard;(c) detecting a mismatch between (A) the meta-data about the number offilled-out fields that the computerized service received electronicallyfrom said computing device, and (B) the calculated meta-data about thenumber of filled-out fields that were manually filled-out via saidkeyboard.

In some embodiments, the method comprises: determining that thecomputing device is infected by a code injector malware, by performing:(a) receiving from said computerized service, meta-data about a numberof filled-out fields that the computerized service receivedelectronically from said computing device; (b) based on monitoreduser-side input-unit interactions, that were manually performed via akeyboard of said computing device, calculating meta-data about a numberof filled-out fields that were manually filled-out via said keyboard;(c) detecting a mismatch between (A) the meta-data about the number offilled-out fields that the computerized service received electronicallyfrom said computing device, and (B) the calculated meta-data about thenumber of filled-out fields that were manually filled-out via saidkeyboard; wherein detecting said mismatch is performed withoutreceiving, and without taking into consideration, a copy of the datathat the computerized service received electronically from saidcomputing device.

In some embodiments, the method comprises: based on monitored user-sideinput-unit interactions, computing a particular velocity profile ofpointer strokes; generating a model corresponding to velocity profile ofpointer strokes performed by human users; based on comparison between(A) said particular velocity profile, and (B) said model correspondingto velocity profile of pointer strokes performed by humanusers—determining whether the computing device is operated by automaticscript executed by said processor.

In some embodiments, the method comprises: based on monitored user-sideinput-unit interactions, extracting a particular time interval profilereflecting time intervals between down click events and up click eventsof a pointing device; generating a model of time intervals between downclick events and up click events of pointing devices performed by humanusers; based on a comparison between (A) said particular time intervalprofile, and (B) said model of time intervals between down-click eventsand up click events of pointing devices performed by human users,determining whether the computing device is operated by automatic scriptexecuted by said processor.

In some embodiments, the method comprises: based on monitored user-sideinput-unit interactions, extracting a profile of time intervals betweenpointer strokes and down click events of a pointing device; generating amodel of time intervals between pointer strokes and down click events ofpointing devices performed by human users; based on comparing between(A) said profile of time intervals, and (B) said model of timeintervals, determining whether the computing device is operated byautomatic script executed by said processor.

In some embodiments, a system comprises: an automatic script detectormodule to determine whether a user, who utilizes a computing device tointeract with a computerized service, is either (i) a human user, or(ii) an automatic script executed by a processor; wherein the automaticscript detector module is: (a) to monitor user-side input-unitinteractions performed through one or more input units; (b) to matchbetween (A) the user-side input-unit interactions and (B) data sentelectronically from said computerized service; (c) if the comparingresult is that (A) the user-side input-unit interactions do not exactlymatch (B) the data sent electronically from said computerized service,then to determine that the computing device is operated by automaticscript executed by said processor.

Some embodiments may detect hardware components and/or hardwareassembly.

In some embodiments, a method comprises: differentiating between (a) afirst hardware assembly utilized for interacting with a computerizedservice, and (b) a second hardware assembly utilized for interactingwith said computerized service, by performing: monitoring user-sideinput-unit interactions of one or more input units which are being usedfor interacting with said computerized service; extracting from saiduser-side input-unit interactions a hardware-assembly-specific usagecharacteristic; performing said differentiating based on saidhardware-assembly-specific usage characteristic.

In some embodiments, the differentiating is independent of, and does nottake into account, data stored in any cookie file on any one of thefirst and second hardware assemblies.

In some embodiments, the differentiating is independent of, and does nottake into account, Internet Protocol (IP) addresses associated with anyone of the first and second hardware assemblies.

In some embodiments, the method comprises: samplingpointing-device-events of said user-side input-unit interactions;determining a device-specific signature reflecting saidpointing-device-events sampling; performing said differentiating basedon said device-specific signature reflecting said pointing-device-eventssampling.

In some embodiments, the method comprises: sampling keyboard-events ofsaid user-side input-unit interactions; determining a device-specificsignature reflecting said keyboard-events sampling; performing saiddifferentiating based on said device-specific signature reflecting saidkeyboard-events sampling.

In some embodiments, the method comprises: sampling touchpad-events ofsaid user-side input-unit interactions; determining a device-specificsignature reflecting said touchpad-events sampling; performing saiddifferentiating based on said device-specific signature reflecting saidtouchpad-events sampling.

In some embodiments, the method comprises: sampling pointing-stickevents of said user-side input-unit interactions; determining adevice-specific signature reflecting said pointing-stick eventssampling; performing said differentiating based on said device-specificsignature reflecting said pointing-stick events sampling.

In some embodiments, the method comprises: measuring a first length of alongest-stroke of on-screen pointer movement, in a first usage sessionof the computerized service; measuring a first length of alongest-stroke of on-screen pointer movement, in a second usage sessionof the computerized service; if the first length of the longest-strokein the first usage session, is different from the second length of thelongest-stroke in the second usage session, by at least a pre-definedpercentage value, then determining that (A) the first usage session ofthe computerized service was accessed via the first hardware assembly,and that (B) the second usage session of the computerized service wasaccessed via the second hardware assembly.

In some embodiments, the method comprises: measuring a first length of alongest-stroke of on-screen pointer movement, in a first usage sessionof the computerized service; measuring a first length of alongest-stroke of on-screen pointer movement, in a second usage sessionof the computerized service; if the first length of the longest-strokein the first usage session, is different from the second length of thelongest-stroke in the second usage session, by at least a pre-definedpercentage value, then determining that (A) the first usage session ofthe computerized service was accessed via a computer mouse, and that (B)the second usage session of the computerized service was accessed via atouchpad.

In some embodiments, the method comprises: analyzing strokes ofmovements of an on-screen pointer movement, in a first usage session ofthe computerized service; analyzing strokes of movements of theon-screen pointer movement, in a second usage session of thecomputerized service; based on both of said analyzing, determining that(A) the first usage session of the computerized service was accessed viaa computer mouse, and that (B) the second usage session of thecomputerized service was accessed via a touchpad.

In some embodiments, the method comprises: analyzing strokes ofmovements of an on-screen pointer movement, in a first usage session ofthe computerized service; analyzing strokes of movements of theon-screen pointer movement, in a second usage session of thecomputerized service; based on both of said analyzing, determining that(A) the first usage session of the computerized service was accessed viaa computer mouse, and that (B) the second usage session of thecomputerized service was accessed via a pointing-stick.

In some embodiments, the method comprises: analyzing strokes ofmovements of an on-screen pointer movement, in a first usage session ofthe computerized service; analyzing strokes of movements of theon-screen pointer movement, in a second usage session of thecomputerized service; based on both of said analyzing, determining that(A) the first usage session of the computerized service was accessed viaa touchpad, and that (B) the second usage session of the computerizedservice was accessed via a pointing-stick.

In some embodiments, the method comprises: measuring acceleration of anon-screen pointer movement, in a first usage session of the computerizedservice; measuring acceleration of an on-screen pointer movement, in asecond usage session of the computerized service; based on both of saidmeasuring, determining that (A) the first usage session of thecomputerized service was accessed via a computer mouse, and that (B) thesecond usage session of the computerized service was accessed via atouchpad.

In some embodiments, the method comprises: measuring acceleration of anon-screen pointer movement, in a first usage session of the computerizedservice; measuring acceleration of an on-screen pointer movement, in asecond usage session of the computerized service; based on both of saidmeasuring, determining that (A) the first usage session of thecomputerized service was accessed via a computer mouse, and that (B) thesecond usage session of the computerized service was accessed via apointing-stick.

In some embodiments, the method comprises: measuring acceleration of anon-screen pointer movement, in a first usage session of the computerizedservice; measuring acceleration of an on-screen pointer movement, in asecond usage session of the computerized service; based on both of saidmeasuring, determining that (A) the first usage session of thecomputerized service was accessed via a touchpad, and that (B) thesecond usage session of the computerized service was accessed via apointing-stick.

In some embodiments, the method comprises: sampling and analyzingmouse-events in a first usage session of the computerized service;sampling and analyzing mouse-events in a second usage session of thecomputerized service; based on differences between (a) the sampled andanalyzed mouse events in the first usage session, and (b) the sampledand analyzed mouse events in the second usage session, determining that(A) the first usage session was accessed via a first mouse-device madeby a first manufacturer, and that (B) the second usage session wasaccessed via a second mouse-device made by a second manufacturer.

In some embodiments, the method comprises: sampling and analyzingmouse-events in a first usage session of the computerized service;sampling and analyzing mouse-events in a second usage session of thecomputerized service; based on differences between (a) the sampled andanalyzed mouse events in the first usage session, and (b) the sampledand analyzed mouse events in the second usage session, determining that(A) the first usage session was accessed via a first mouse-device madeby a particular manufacturer and having a particular model number, andthat (B) the second usage session was accessed via a second mouse-devicemade by the same particular manufacturer and having the same particularmodel number.

In some embodiments, the method comprises: temporarily generating aresource-consuming burden on client-side hardware assemblies that areused for accessing said computerized service; measuring performance ofmultiple client-side hardware assemblies in response to the generatedresource-consuming burden; based on the measured performance of multipleclient-side hardware assemblies in response to the generatedresource-consuming burden, differentiating between said first hardwareassembly and said second hardware assembly.

In some embodiments, the method comprises: temporarily generating acomputation-intensive burden on client-side hardware assemblies that areused for accessing said computerized service; measuring performance ofmultiple client-side hardware assemblies in response to the generatedcomputation-intensive burden; based on the measured performance ofmultiple client-side hardware assemblies in response to the generatedcomputation-intensive burden, differentiating between said firsthardware assembly and said second hardware assembly.

In some embodiments, the method comprises: monitoring keyboardinteractions with said computerized service; identifying a sequence ofmultiple particular characters, that are entered consecutively viakeyboard more rapidly than other character sequences; determining thatsaid sequence of multiple characters, is more common in a particularnatural language; determining that said computerized service is accessedvia a hardware assembly utilizing a keyboard having a keyboard-layout ofsaid particular natural language.

In some embodiments, the method comprises: monitoring keyboardinteractions with said computerized service; identifying a sequence ofmultiple particular characters, that are entered consecutively viakeyboard more rapidly than other character sequences; determining thatsaid sequence of multiple characters, is more common in a particularnatural language; determining that said computerized service is accessedvia a hardware assembly utilizing a keyboard having a keyboard-layout ofsaid particular natural language; wherein both of said determiningoperations are performed without taking into consideration an InternetProtocol (IP) address associated with said hardware assembly being usedfor accessing said computerized service.

In some embodiments, the method comprises: displaying through saidcomputerized service a challenge requesting a user to correctly enter aparticular word in a particular non-English natural language, whereintyping of the particular word requires typing an accented character;receiving user-entered keystrokes which indicate typing of saidparticular word while typing said accented character; based on saiduser-entered keystrokes which indicate typing of said particular wordwhile typing said accented character, determining that the computerizedservice is accessed by a user that utilizes a keyboard having anon-English keyboard layout which corresponds to said particularnon-English natural language.

In some embodiments, the method comprises: displaying through saidcomputerized service a challenge requesting a user to correctly enter aparticular word in a particular non-English natural language, whereintyping of the particular word requires typing a character having adiacritical mark; receiving user-entered keystrokes which indicatetyping of said particular word while typing said character having saiddiacritical mark; based on said user-entered keystrokes which indicatetyping of said particular word while typing said character having saiddiacritical mark, determining that the computerized service is accessedby a user that utilizes a keyboard having a non-English keyboard layoutwhich corresponds to said particular non-English natural language.

In some embodiments, a system comprises a hardware assembly detectormodule to differentiate between (a) a first hardware assembly utilizedfor interacting with a computerized service, and (b) a second hardwareassembly utilized for interacting with said computerized service;wherein the hardware assembly detector module is: to monitor user-sideinput-unit interactions of one or more input units which are being usedfor interacting with said computerized service; to extract from saiduser-side input-unit interactions a hardware-assembly-specific usagecharacteristic; to perform differentiation based on saidhardware-assembly-specific usage characteristic.

Some embodiments may enable user segmentation based on monitoring ofinput-unit interactions.

In some embodiments, a method comprises: differentiating between (a) afirst user interacting with a computerized service, and (b) a seconduser interacting with said computerized service; wherein thedifferentiating does not rely on Internet Protocol (IP) addressanalysis; wherein the differentiating does not rely on cookie filesanalysis; wherein the differentiating comprises: monitoring user-sideinput-unit interactions with said computerized service; extracting fromsaid user-side input-unit interactions a user-specific characteristic;based on the user-specific characteristic extracted from said user-sideinput-unit interactions, differentiating between said first user andsaid second user.

In some embodiments, the differentiating (A) does not rely on injectionof a user-interface interference to said computerized service, and (B)does not rely on user reaction to any user-interface interference.

In some embodiments, the extracting comprises: extracting from saiduser-side input-unit interactions a user-specific characteristic whichindicates at least one of: (a) user gender; (b) user age-range; (c) usergeographic location; (d) user level of expertise in computer-relatedtasks; (e) user anatomical characteristics.

In some embodiments, the method comprises: monitoring utilization ofkeyboard shortcuts during interactions with said computerized service;based on the monitored utilization of keyboard shortcuts duringinteractions with said computerized service, determining the level ofexpertise of a particular user in operating computerized platforms.

In some embodiments, the method comprises: monitoring utilization ofkeyboard shortcuts during interactions with said computerized service;based on the monitored utilization of keyboard shortcuts duringinteractions with said computerized service, determining whether aparticular user is (a) within an age-range of 15 to 30 years old, or (b)within an age-range of 65 and greater years old.

In some embodiments, the method comprises: monitoring utilization ofcopy-and-paste operations during interactions with said computerizedservice; based on the monitored utilization of copy-and-paste operationsduring interactions with said computerized service, determining thelevel of expertise of a particular user in operating computerizedplatforms

In some embodiments, the method comprises: monitoring average typingspeed during interactions with said computerized service; based on themonitored average typing speed during interactions with saidcomputerized service, determining the level of expertise of a particularuser in operating computerized platforms.

In some embodiments, the method comprises: monitoring average typingspeed during interactions with said computerized service; based on themonitored average typing speed during interactions with saidcomputerized service, determining whether a particular user is an olduser or a young user.

In some embodiments, the method comprises: monitoring user keystrokesduring interactions with said computerized service; extractingstatistics of time-gaps between pairs of key-down and key-up events;based on the extracted statistics of said time-gaps between pairs ofkey-down and key-up events, determining whether a particular user is amale user or a female user.

In some embodiments, the method comprises: monitoring keyboardinteractions of a user with said computerized service; extractingstatistics of time-gaps between pairs of key-down and key-up events, forkeys in different locations along the keyboard; based on the extractedstatistics of time-gaps, determining whether the fingers of a particularuser are short or long.

In some embodiments, the method comprises: monitoring keystrokes of afirst user during interactions with said computerized service;extracting first statistics of the time-gaps between pairs of key-downand key-up events during the first user interactions with thecomputerized service; monitoring keystrokes of a second user duringinteractions with said computerized service; extracting secondstatistics of the time-gaps between pairs of key-down and key-up eventsduring the second user interactions with the computerized service; basedon said extracted first statistics of first user and said extractedsecond statistics of second user, differentiating that the first user ismale and that the second user is female.

In some embodiments, the method comprises: monitoring keyboardinteractions of a first user with said computerized service; identifyinga sequence of multiple particular characters, that are entered by thefirst user consecutively via keyboard more rapidly than other charactersequences that the first user types; determining that said sequence ofmultiple characters, is more common in a particular natural language;determining that keyboard interactions of a second user, with saidcomputerized service, lack rapid typing of said sequence of particularcharacters; based on both of said determining, differentiating betweenthe first user and the second user.

In some embodiments, the method comprises: monitoring keyboardinteractions of a first user with said computerized service; identifyinga sequence of multiple particular characters, that are entered by thefirst user consecutively via keyboard more rapidly than other charactersequences that the first user types; determining that said sequence ofmultiple characters, is more common for users of a particular keyboardlayout that is more common at a particular geographic region;determining that keyboard interactions of a second user, with saidcomputerized service, lack rapid typing of said sequence of particularcharacters; based on both of said determining, differentiating betweenthe first user and the second user.

In some embodiments, the method comprises: sampling user-side input-unitinteractions of a user with said computerized service; performingfrequency analysis of said sampled user-side input-unit interactions ofa first user with said computerized service; based on said frequencyanalysis, determining characteristics of a power supply of the computingdevice of said user; based on determinations of characteristics of thepower supply of the computing device of said user, determining that thecomputing device of said user is located in a particular geographicregion.

In some embodiments, the method comprises: monitoring keyboardinteractions of a first user with said computerized service; based oncharacteristics of the monitored keyboard interactions, determining both(A) gender of the first user, and (B) age-range of said user; based onthe determined gender and age-range of said first user, displaying tosaid first user tailored advertisement content.

In some embodiments, the method comprises: monitoring keyboardinteractions of a first user with said computerized service; based oncharacteristics of the monitored keyboard interactions, determining both(A) a natural language spoken by the first user, and (B) age-range ofsaid user; based on the determined natural language and age-range ofsaid first user, displaying to said first user tailored advertisementcontent.

In some embodiments, the method comprises: monitoring user-sideinput-unit interactions of the first user with said computerizedservice; based on characteristics of the monitored keyboard interactionsand pointing device events, determining a current mood of said user;based on the determined mood of said first user, displaying to saidfirst user tailored content suitable for said current mood of said firstuser.

In some embodiments, a system comprises: a user identity determinationmodule to differentiate between (a) a first user interacting with acomputerized service, and (b) a second user interacting with saidcomputerized service; wherein the differentiating by the user identitydetermination module does not rely on Internet Protocol (IP) addressanalysis; wherein the differentiating by the user identity determinationmodule does not rely on cookie files analysis; wherein the user identitydetermination module is: to monitor user-side input-unit interactionswith said computerized service; to extract from said user-sideinput-unit interactions a user-specific characteristic; based on theuser-specific characteristic extracted from said user-side input-unitinteractions, to differentiate between said first user and said seconduser.

In some embodiments, the system comprises: a user expertise estimatormodule (A) to monitor utilization of keyboard shortcuts duringinteractions with said computerized service, and (B) based on themonitored utilization of keyboard shortcuts during interactions withsaid computerized service, determining the level of expertise of aparticular user in operating computerized platforms.

In some embodiments, the system comprises: a user gender estimatormodule (a) to monitor user keystrokes during interactions with saidcomputerized service, (b) to extract statistics of time-gaps betweenpairs of key-down and key-up events, and (c) based on the extractedstatistics of said time-gaps between pairs of key-down and key-upevents, to determine whether a particular user is a male user or afemale user.

Some embodiments may identify multiple-users accessing the same account(e.g., subscription account, personal account).

In some embodiments, a method comprises: determining that a particularsubscription account of a computerized service, is accessed by twodifferent human users who utilize a same set of login credentials, byperforming: (a) monitoring input-unit interactions of pairs of usagesessions that originated from pairs of two different subscriptionsaccounts; (b) extracting from the input-unit interactions that weremonitored in step (a), a cross-account usage-session pairing pattern;(c) monitoring input-unit interactions of pairs of usage sessions thatoriginated from a same subscription account; (d) extracting from theinput-unit interactions that were monitored in step (c), anintra-account usage-session pairing pattern; (e) determining whether apair of usage sessions, that originated from said particularsubscription account, is: (i) relatively more similar to thecross-account usage-session pairing pattern, or (ii) relatively moresimilar to the intra-account usage-session pairing pattern.

In some embodiments, the method comprises: if it is determined in step(e) that the pair of usage session, that originated from said particularsubscription account, is relatively more similar to the cross-accountusage-session pairing pattern, then generating a notification that saidparticular subscription account is accessed by two different human userswho utilize the same set of login credentials.

In some embodiments, the monitoring of step (a) comprises: monitoringinput-unit interactions of pairs of usage sessions that originated frompairs of two different subscriptions accounts and which comprise userreactions to an injected user-interface interference; wherein themonitoring of step (c) comprises: monitoring input-unit interactions ofpairs of usage sessions that originated from a same subscription accountand which comprise user reactions to said injected user-interfaceinterference.

In some embodiments, the monitoring of step (a) comprises: monitoringinput-unit interactions of pairs of usage sessions that originated frompairs of two different subscriptions accounts and which comprise naturalinteractions that are not induced by any user-interface interference;wherein the monitoring of step (c) comprises: monitoring input-unitinteractions of pairs of usage sessions that originated from a samesubscription account and which comprise natural interactions that arenot induced by any user-interface interference.

In some embodiments, the method comprises: checking whether acharacteristic of monitored user-interface interactions over a pair ofusage-sessions of a same subscription account, is more similar toeither: (i) a first pattern of user-interface interactions thatcharacterize multiple pairs of usage sessions of different human users,or (ii) a second pattern of user-interface interactions thatcharacterizes multiple pairs of usage sessions wherein each pair ofusage session belong to the same subscription account.

In some embodiments, the method comprises: if it is determined that saidcharacteristic of monitored user-interface interactions, over said pairof usage-sessions of the same subscription account, is more similar tosaid first pattern of user-interface interactions that characterizemultiple pairs of usage sessions of different human users, thengenerating a notification that said particular subscription account isaccessed by two different human users who utilize the same set of logincredentials.

In some embodiments, the method comprises: checking whether acharacteristic of monitored user-interface interactions over a pair ofusage-sessions of a same subscription account, that comprise userreactions to an injected user-interface interference, is more similar toeither: (i) a first pattern of user-interface interactions thatcharacterize multiple pairs of usage sessions of different human users,or (ii) a second pattern of user-interface interactions thatcharacterizes multiple pairs of usage sessions wherein each pair ofusage session belong to the same subscription account.

In some embodiments, the method comprises: if it is determined that saidcharacteristic of monitored user-interface interactions, over said pairof usage-sessions of the same subscription account, that comprise userreactions to said injected user-interface interference, is more similarto said first pattern of user-interface interactions that characterizemultiple pairs of usage sessions of different human users, thengenerating a notification that said particular subscription account isaccessed by two different human users who utilize the same set of logincredentials.

In some embodiments, the computerized service comprises a serviceselected from the group consisting of: a digital streaming videoservice; a digital streaming audio service; an online gaming service.

In some embodiments, the computerized service comprises a serviceselected from the group consisting of: an online premium-content serviceavailable only to paying subscribers; an online legal informationservice available only to paying subscribers; an online financialinformation service available only to paying subscribers; an onlinebusiness information service available only to paying subscribers; anonline news information service available only to paying subscribers.

In some embodiments, the method comprises: generating an attributesvector for each usage session; utilizing a clustering algorithm todetermine the number of most-probable sources for the usage sessions;based on the clustering result, determining whether the usage sessionscorrespond to one use or to multiple users.

In some embodiments, the method comprises: generating an ad-hoc modelreflecting user-side interactions that were performed in all usagesessions that originated from a particular computing device; based onsaid ad-hoc model, for all other usage sessions accesses using adifferent device, comparing said usage sessions to said model; if aparticular usage session is determined to be significantly differentthan said ad-hoc model, then determining the said particular usagesession originated from a different user.

In some embodiments, a method comprises: determining that a particularsubscription account of a computerized service, is accessed by two ormore different human users who utilize a same set of login credentials,by performing: (a) monitoring input-unit interactions of sets ofmultiple usage sessions that originated from sets of multiple differentsubscriptions accounts; (b) extracting from the input-unit interactionsthat were monitored in step (a), a cross-account usage-session groupingpattern; (c) monitoring input-unit interactions of sets of usagesessions that originated from a same subscription account; (d)extracting from the input-unit interactions that were monitored in step(c), an intra-account usage-session grouping pattern; (e) determiningwhether a set of multiple usage sessions, that originated from saidparticular subscription account, is: (i) relatively more similar to thecross-account usage-session grouping pattern, or (ii) relatively moresimilar to the intra-account usage-session grouping pattern.

In some embodiments, each one of the sets of multiple usage sessionscomprise a pair of usage sessions. In some embodiments, each one of thesets of multiple usage sessions comprise a set of three usage sessions.In some embodiments, each one of the sets of multiple usage sessionscomprise a group of four usage sessions.

In some embodiments, a system comprises: a multiple-users for sameaccount detector, to determine that a particular subscription account ofa computerized service, is accessed by two different human users whoutilize a same set of login credentials; wherein the multiple-users forsame account detector is: (a) to monitor input-unit interactions ofpairs of usage sessions that originated from pairs of two differentsubscriptions accounts; (b) to extract from the input-unit interactionsthat were monitored in step (a), a cross-account usage-session pairingpattern; (c) to monitor input-unit interactions of pairs of usagesessions that originated from a same subscription account; (d) toextract from the input-unit interactions that were monitored in step(c), an intra-account usage-session pairing pattern; (e) to determinewhether a pair of usage sessions, that originated from said particularsubscription account, is: (i) relatively more similar to thecross-account usage-session pairing pattern, or (ii) relatively moresimilar to the intra-account usage-session pairing pattern.

In some embodiments, if it is determined in step (e) that the pair ofusage session, that originated from said particular subscriptionaccount, is relatively more similar to the cross-account usage-sessionpairing pattern, then the multiple-users for same account detector is togenerate a notification that said particular subscription account isaccessed by two different human users who utilize the same set of logincredentials.

In some embodiments, in step (a), the multiple-users for same accountdetector is to monitor input-unit interactions of pairs of usagesessions that originated from pairs of two different subscriptionsaccounts and which comprise user reactions to an injected user-interfaceinterference; wherein in step (c), the multiple-users for same accountdetector is to monitor input-unit interactions of pairs of usagesessions that originated from a same subscription account and whichcomprise user reactions to said injected user-interface interference.

In some embodiments, the multiple-users for same account detector is todetermine that a particular subscription account of a computerizedservice, is accessed by two or more different human users who utilize asame set of login credentials, by performing: (a) monitoring input-unitinteractions of sets of multiple usage sessions that originated fromsets of multiple different subscriptions accounts; (b) extracting fromthe input-unit interactions that were monitored in step (a), across-account usage-session grouping pattern; (c) monitoring input-unitinteractions of sets of usage sessions that originated from a samesubscription account; (d) extracting from the input-unit interactionsthat were monitored in step (c), an intra-account usage-session groupingpattern; (e) determining whether a set of multiple usage sessions, thatoriginated from said particular subscription account, is: (i) relativelymore similar to the cross-account usage-session grouping pattern, or(ii) relatively more similar to the intra-account usage-session groupingpattern.

Some embodiments may enable a visual login process, as well as animplicit two-factor authentication (TFA) process, and stochasticcryptography based on monitored user-side input-unit interactions.

In some embodiments, a method comprises: differentiating between a firstuser and a second user of a computerized service, by performing:presenting an on-screen visual login interface which requires a user ofthe computerized service to interact with user interface elements inorder to enter user login credentials for said computerized service;monitoring interactions of said used via an input unit with said userinterface elements of said on-screen visual login interface; extractingfrom said interaction of the user via the input unit, a user-specifictrait indicating a user-specific manner of interaction with saidon-screen visual login interface; based on the extracted user-specificmanner of interaction, differentiating between a first user and a seconduser of said computerized service.

In some embodiments, the presenting comprises: presenting an on-screenkeypad of digits, and an on-screen target zone; generating adrag-and-drop interface that allows the user to selectively dragindividual digits, which correspond to a Personal Identification Number(PIN) that the user desires to enter, from said on-screen keypad to saidon-screen target zone; wherein the monitoring of interactions comprises:monitoring a manner in which the user performs drag-and-drop operationsof said individual digits, and extracting a user-specific trait fromsaid drag-and-drop operations of individual digits.

In some embodiments, the presenting comprises: presenting an on-screenvault interface having one or more on-screen cylinders; generating anon-screen interface that allows the user to selectively rotate the oneor more on-screen rotatable cylinders in order to input a PersonalIdentification Number (PIN) that the user desires to enter; wherein themonitoring of interactions comprises: monitoring a manner in which theuser performs rotations of the one or more on-screen rotatablecylinders, and extracting a user-specific trait from said rotations.

In some embodiments, the method comprises: injecting a user interfaceinterference to an operation of said user interface elements; monitoringa corrective reaction of the user to the injected user interfaceinterference; extracting a user-specific trait corresponding to saidcorrective reaction; based on the user-specific trait corresponding tosaid corrective reaction, differentiating between the first user and thesecond user of said computerized service.

In some embodiments, the presenting comprises: presenting an on-screenkeypad of digits, and an on-screen target zone; generating adrag-and-drop interface that allows the user to selectively dragindividual digits, which correspond to a Personal Identification Number(PIN) that the user desires to enter, from said on-screen keypad to saidon-screen target zone; wherein injecting the user interface interferencecomprises: injecting a user interface interference to an operation ofsaid drag-and-drop interface; wherein the monitoring of interactionscomprises: monitoring a manner in which the user reacts to the injecteduser-interface interference to the operation of said drag-and-dropinterface, and extracting a user-specific trait from the correctivereaction of the user.

In some embodiments, the presenting comprises: presenting an on-screenvault interface having one or more on-screen cylinders; generating anon-screen interface that allows the user to selectively rotate the oneor more on-screen rotatable cylinders in order to input a PersonalIdentification Number (PIN) that the user desires to enter; whereininjecting the user interface interference comprises: injecting a userinterface interference to an operation of said rotatable cylinders;wherein the monitoring of interactions comprises: monitoring a manner inwhich the user reacts to the injected user-interface interference to theoperation of said on-screen rotatable cylinders, and extracting auser-specific trait from the corrective reaction of the user.

In some embodiments, the injected user-interface interference causes anon-screen pointer to be non-responsive for a pre-defined period of time.

In some embodiments, the injected user-interface interference causes anon-screen pointer to move in a route that is non-identical to a movementroute of said input unit.

In some embodiments, the method comprises: presenting an on-screencollection of items; presenting to the user a textual notification thatthe user is required to select a particular item from said collection,wherein the textual notification comprise a textual instruction in anatural language that a human user is required to comprehend in order tocorrectly select said particular item from said collection; introducingan interference to a drag-and-drop operation of said particular item;checking whether a current reaction of the user to said interference,matches a user-specific profile of said user indicating past reactionsof said user to said interference.

In some embodiments, the method comprises: presenting an on-screenjigsaw puzzle as part of a login process; monitoring a manner in whichthe user solves the on-screen jigsaw puzzle; extracting a user-specificprofile corresponding to the manner in which the user solves theon-screen jigsaw puzzle; in a subsequent login process, checking whether(a) a current manner of the user solving the on-screen jigsaw puzzle,matches (b) the user-specific profile corresponding to the manner inwhich the user solved the on-screen jigsaw puzzle in previous loginsessions.

In some embodiments, the method comprises: during a log-in process andwhile the user enters user credentials through a mobile computingdevice, injecting a time-delay between (A) tapping of a character on anon-screen keyboard by the user, and (B) displaying said character on thescreen of the mobile computing device; monitoring user reactions to theinjected time-delay between tapping and displaying; extracting auser-specific profile reflecting a typical reaction of said user toinjected time-delays between tapping and displaying; in a subsequentlog-in session, checking whether (i) a current reaction of the user totime-delay between tapping and displaying, matches (ii) theuser-specific profile reflecting the typical reaction of said user toinjected time-delays between tapping and displaying.

In some embodiments, the method comprises: during a log-in process,causing an Enter key to be non-responsive to keystrokes; presenting anon-screen Submit button; introducing an on-screen interference toregular operation of said on-screen Submit button; monitoring userreactions to the on-screen interference to the regular operation of saidon-screen Submit button; extracting a user-specific profile reflecting atypical reaction of said user to the on-screen interference to theregular operation of said on-screen Submit button; in a subsequentlog-in session, checking whether (i) a current reaction of the user tothe on-screen interference to the regular operation of the on-screenSubmit button, matches (ii) the user-specific profile reflecting thetypical reaction of said user to the on-screen interference to theregular operation of the on-screen Submit button.

In some embodiments, the method comprises: performing an implicittwo-factor authentication process as a condition for authorizing saiduser to access said computerized service, wherein a first-step of theimplicit two-factor authentication process comprises receiving from theuser a correct value of a password previously-defined by said user;wherein a second-step of the implicit two-factor authentication processcomprises receiving from said user said correct value in an input mannerthat exhibits a particular user-specific trait that had been extractedfrom previous input-unit interactions of said user.

In some embodiments, the method comprises: performing an implicittwo-factor authentication process as a condition for authorizing saiduser to access said computerized service, wherein a first-step of theimplicit two-factor authentication process comprises receiving from theuser a correct value of a password previously-defined by said user;wherein a second-step of the implicit two-factor authentication processcomprises: injecting a user interface interference to an interfacepresented to said user; and receiving from said user said correct valuein an input manner which reacts to said interference and which exhibitsa particular user-specific trait that had been extracted from previousinput-unit interactions of said user in response to said interference.

In some embodiments, the method comprises: presenting to the user, oneinterference at a time, a sequence of user-interface interferences thatare selected one at a time from a pool of possible user-interfaceinterferences; monitoring user reactions to the user-interfaceinterferences that were presented to the user, one interference at atime; generating a user-specific general reaction model that reflects ageneral manner of reactions to user-interface interferences by saiduser; generating an encryption key by using a parameter of saiduser-specific general reaction model; encrypting a content item of saiduser by using said encryption key that was generated based on saiduser-specific general reaction model.

In some embodiments, the method comprises: upon a user request todecrypt said content item, performing: presenting to the user a singleuser-interface interference, from the sequence of user-interfaceinterferences that were selected and used for generating theuser-specific general reaction model prior to said encrypting step;monitoring a current reaction of said user to the single user-interfaceinterference that is presented to the user; extracting a user-specificvalue from the current reaction of said user to the singleuser-interface interference that is presented to the user; calculating adecryption key based on the user-specific value that was extracted fromthe current reaction of said user to the single user-interfaceinterference that is presented to the user; decrypting said content itemby using said decryption key.

In some embodiments, said sequence of user-interface interferencecomprise a sequence of at least 20 user-interface interferences, thatare selected one-at-a-time from a pool comprising at least 100user-interface interferences.

In some embodiments, the method comprises: performing stochasticencryption of a content item associated with said user, by utilizing anencryption key that is based, at least partially, on a user-specificmodel that reflects a general manner in which said user responds to atleast 10 different user-interface interferences.

In some embodiments, the method comprises: performing stochasticencryption of a content item associated with said user, by utilizing anencryption key that is based, at least partially, on a user-specificmodel that reflects a general manner in which said user responds to aseries of at least 10 different user-interface interferences that werepresented to said user one interference at a time; performing stochasticdecryption of said content item associated with said user, by utilizinga decryption key that is based, at least partially, on a single reactionof said user to a single user-interface interference that is presentedto said user in response to a user request to decrypt said content item.

In some embodiments, the method comprises: performing a stochasticcryptography operation which utilizes, as a cryptographic parameter, avalue of a user-specific model of reaction to a user interfaceinterference of a particular type.

In some embodiments, the method comprises: injecting a user interfaceinterference to an interaction of said user with said computerizedservice; monitoring user reaction to said user interface interference;extracting a user-specific interference-specific parameter whichindicates an attribute of the user reaction to said user interfaceinterference; performing a stochastic cryptography operation whichutilizes, as a cryptographic parameter, a value of said user-specificinterference-specific parameter which indicates said attribute of theuser reaction to said user interface interference.

In some embodiments, the method comprises: estimating a false positivemargin-of-error of said stochastic cryptography operation; allowing theuser to perform multiple access attempts to compensate for the estimatedfalse positive margin-of-error of said stochastic cryptographyoperation.

In some embodiments, the stochastic cryptography operation comprises atleast one of: encryption, decryption.

In some embodiments, the cryptographic parameter comprises: a value ofsaid user-specific interference-specific parameter which indicates saidattribute of the user reaction to said user interface interference whichis introduced during said visual login process.

In some embodiments, a system comprises: a visual login module todifferentiate between a first user and a second user of a computerizedservice, wherein the visual login module is: to present an on-screenvisual login interface which requires a user of the computerized serviceto interact with user interface elements in order to enter user logincredentials for said computerized service; to monitor interactions ofsaid used via an input unit with said user interface elements of saidon-screen visual login interface; to extract from said interaction ofthe user via the input unit, a user-specific trait indicating auser-specific manner of interaction with said on-screen visual logininterface; based on the extracted user-specific manner of interaction,to differentiate between a first user and a second user of saidcomputerized service.

In some embodiments, the visual login module is to perform an implicittwo-factor authentication process as a condition for authorizing saiduser to access said computerized device, wherein a first-step of theimplicit two-factor authentication process comprises receiving from theuser a correct value of a password previously-defined by said user;wherein a second-step of the implicit two-factor authentication processcomprises receiving from said user said correct value in an input mannerthat exhibits a particular user-specific trait that had been extractedfrom previous input-unit interactions of said user.

In some embodiments, the system comprises a stochastic cryptographymodule, wherein the stochastic cryptography module is: to inject a userinterface interference to an interaction of said user with saidcomputerized service; to monitor user reaction to said user interfaceinterference; to extract a user-specific interference-specific parameterwhich indicates an attribute of the user reaction to said user interfaceinterference; to perform a stochastic cryptography operation whichutilizes, as a cryptographic parameter, a value of said user-specificinterference-specific parameter which indicates said attribute of theuser reaction to said user interface interference.

In some embodiments, a method comprises: determining whether a humanuser, who utilizes a computing device to interact with a computerizedservice via a communication channel, (i) is a human user that isco-located physically near said computing device, or (ii) is a humanuser that is located remotely from said computing device and isoperating remotely said computer device via a remote access channel;wherein the determining comprises: (a) monitoring interactions of theuser with an input unit of said computing device, in response to one ormore communication lags that are exhibited by said communicationchannel; (b) based on monitored user interactions via the input unit inresponse to said one or more communication lags, determining whethersaid human user (i) is a human user that is co-located physically atsaid computing device, or (ii) is a human user that is located remotelyfrom said computing device and is controlling remotely said computingdevice via said remote access channel.

In some embodiments, the method comprises: injecting a communicationlatency into said communication channel between said computing deviceand said computerized service; introducing an input/output aberrationthat causes said input unit of said computing device to exhibit abnormalbehavior; determining an actual reaction time of said user to saidinput/output aberration; if the actual reaction time of said user to theinput/output aberration, is greater than a pre-defined reaction-timethreshold value, then determining that the user is located remotely fromsaid computing device and is controlling remotely said computing devicevia said remote access channel.

In some embodiments, the method comprises: injecting a communicationlatency into said communication channel between said computing deviceand said computerized service; introducing an input/output aberrationthat causes said input unit of said computing device to exhibit abnormalbehavior; determining an actual reaction time of said user to saidinput/output aberration; defining a reference reaction time thatcharacterizes a maximum time that elapses between (I) generation of saidinput/output aberration to a local user, and (II) sensing of a reactionby the local user to said input/output aberration; if the actualreaction time of said user to the input/output aberration, is greaterthan said reference reaction time, then determining that the user islocated remotely from said computing device and is controlling remotelysaid computing device via said remote access channel.

In some embodiments, the method comprises: injecting a communicationlatency into said communication channel between said computing deviceand said computerized service; introducing an input/output aberrationthat causes said input unit of said computing device to exhibit abnormalbehavior; determining a time-length of a time-gap between (I)introduction of said input/output aberration, and (II) first discoveryof the input/output aberration by the user as exhibited by commencementof a corrective action by the user; if the time-length of said time-gap,is greater than a pre-defined time-gap threshold value thatcharacterizes non-remote users, then determining that the user islocated remotely from said computing device and is controlling remotelysaid computing device via said remote access channel.

In some embodiments, the method comprises: injecting a communicationlatency into said communication channel between said computing deviceand said computerized service; introducing an input/output aberrationthat causes said input unit of said computing device to exhibit abnormalbehavior; determining a time-length of a time-gap between (I)introduction of said input/output aberration, and (II) an end of acorrective action that the user performed in response to saidinput/output aberration; if the time-length of said time-gap, is greaterthan a pre-defined time-gap threshold value that characterizesnon-remote users, then determining that the user is located remotelyfrom said computing device and is controlling remotely said computingdevice via said remote access channel.

In some embodiments, the method comprises: hiding a mouse-pointer on ascreen of said computerized service; monitoring input unit reactions ofsaid user in response to the hiding of the mouse-pointer; based on theinput unit reactions of said user in response to the hiding of themouse-pointer, determining whether said user is (i) co-locatedphysically at said computing device, or (ii) is located remotely romsaid computing device and controlling remotely said computing device viasaid remote access channel.

In some embodiments, the method comprises: temporarily hiding anon-screen pointer of said computerized service; monitoring input unitreactions of said user in response to the hiding of the on-screenpointer; detecting latency in said input unit reactions of said user inresponse to the hiding of the on-screen pointer; based on detectedlatency in the input unit reactions of said user in response to thehiding of the on-screen pointer, determining whether said user is (i)co-located physically at said computing device, or (ii) is locatedremotely rom said computing device and controlling remotely saidcomputing device via said remote access channel.

In some embodiments, the method comprises: causing an on-screen pointerto deviate relative to its regular on-screen route; monitoring inputunit reactions of said user in response to deviation of the on-screenpointer; detecting latency in said input unit reactions of said user inresponse to the deviation of the on-screen pointer; based on detectedlatency in the input unit reactions of said user in response to thedeviation of the on-screen pointer, determining whether said user is (i)co-located physically at said computing device, or (ii) is locatedremotely rom said computing device and controlling remotely saidcomputing device via said remote access channel.

In some embodiments, the method comprises: sampling multipleinteractions of said user with said input unit of said computing device;based on a frequency of said sampling, determining latency ofcommunications between said user and the computerized service; based onsaid latency of communications, determining whether said user is (i)co-located physically at said computing device, or (ii) is locatedremotely from said computing device and controlling remotely saidcomputing device via said remote access channel.

In some embodiments, the method comprises: sampling multipleinteractions of said user with said input unit of said computing device;based on a frequency of said sampling, determining latency ofcommunications between said user and the computerized service; based onsaid latency of communications, determining whether said user is (i)co-located physically at said computing device, or (ii) is locatedremotely from said computing device and controlling remotely saidcomputing device via said remote access channel.

In some embodiments, the method comprises: sampling multipleinteractions of said user with a computer mouse; if said samplingindicates generally-smooth movement of the computer mouse, then,determining that said user is co-located physically near said computingdevice.

In some embodiments, the method comprises: sampling multipleinteractions of said user with a computer mouse; if said samplingindicates generally-rough movement of the computer mouse, then,determining that said user is located remotely from said computingdevice and controlling remotely said computing device via said remoteaccess channel.

In some embodiments, the method comprises: sampling multipleinteractions of said user with a computer mouse; if said samplingindicates generally-linear movement of the computer mouse, then,determining that said user is located remotely from said computingdevice and controlling remotely said computing device via said remoteaccess channel.

In some embodiments, the method comprises: sampling multipleinteractions of said user with a computer mouse; if said samplingindicates sharp-turn movements of the computer mouse, then, determiningthat said user is located remotely from said computing device andcontrolling remotely said computing device via said remote accesschannel.

In some embodiments, the method comprises: sampling multipleinteractions of said user with said input unit; if a frequency of saidmultiple interactions is below a pre-defined threshold, then,determining that said user is located remotely from said computingdevice and controlling remotely said computing device via said remoteaccess channel; if the frequency of said multiple interactions is abovethe pre-defined threshold, then, determining that said user isco-located physically near said computing device.

In some embodiments, the method comprises: overloading a data transfercommunication channel of the computing device that is used for accessingsaid computerized service; measuring an effect of said overloading onfrequency of sampling user interactions via an input unit; based on themeasured effect of said overloading, determining whether said user is(i) co-located physically at said computing device, or (ii) is locatedremotely from said computing device and controlling remotely saidcomputing device via said remote access channel.

In some embodiments, the method comprises: sampling user interactionswith an input unit of a mobile computing device; analyzing temporalrelationship between touch events and accelerometer events of sampleduser interactions with said input unit of the mobile computing device;based on analysis of temporal relationship between touch andaccelerometer events, of sampled user interactions with said input unitof the mobile computing device, determining whether the said mobilecomputing device is controlled remotely via said remote access channel.

In some embodiments, the method comprises: sampling user interactionswith an input unit of a mobile computing device; analyzing temporalrelationship between touch movement events and accelerometer events, ofsampled user interactions with said input unit of the mobile computingdevice; based on analysis of temporal relationship between touchmovement event and accelerometer events, of sampled user interactionswith said input unit of the mobile computing device, determining whetherthe said mobile computing device is controlled remotely via said remoteaccess channel.

In some embodiments, the method comprises: (A) sampling touch-basedgestures of a touch-screen of a mobile computing device; (B) samplingaccelerometer data of said mobile computing device, during a time periodwhich at least partially overlaps said sampling of touch-based gesturesof the touch-screen of the mobile computing device; (C) based on amismatch between (i) sampled touch-based gestures, and (ii) sampledaccelerometer data, determining that the mobile computing device wascontrolled remotely via said remote access channel.

In some embodiments, the method comprises: (A) sampling touch-basedgestures of a touch-screen of a mobile computing device; (B) samplingaccelerometer data of said mobile computing device, during a time periodwhich at least partially overlaps said sampling of touch-based gesturesof the touch-screen of the mobile computing device; (C) determining thatsampled touch-based gestures indicate that a user operated the mobilecomputing device at a particular time-slot; (D) determining that thesampled accelerometer data indicate that the mobile computing device wasnot moved during said particular time-slot; (E) based on the determiningof step (C) and the determining of step (D), determining that the mobilecomputing device was controlled remotely via said remote access channelduring said particular time-slot.

In some embodiments, latency or delays or lags may be injected into thecommunication channel, by one or more suitable means, for example: byre-sending duplicate or erroneous packets or redundant packets; bycausing the server to wait a pre-defined time period between sending ofpackets; by avoiding to send a packet (or several packets) for apre-defined time-period; by sending redundant or unnecessary datatogether with relevant data; by sending large multimedia content (e.g.,video, audio, images), larger than a pre-defined threshold size, inorder to over-burden the communication channel and cause delays andlatency; by causing the end-user device to respond slowly and/or totransmit packets slowly, e.g., by over-burdening the processor and/orthe memory and/or the wireless transceiver of the end-user device;and/or other suitable means.

Some embodiments may compare between: the actual latency that isexhibited by the user's reactions and/or corrective actions, and a“reference” latency value that is expected to be exhibited by localusers that are located physically adjacent to the computing device andare not controlling the device via a Remote Access channel; and suchcomparison may enable detection of a Remote Access user, for example, ifthe actual, sensed, measured response times or reaction times of theuser, are at least K percent slower (or greater) than the “reference”values of response time or reaction time that is typically measured forlocal, non-remote, users (e.g., based on a calculated average ofresponse times or reaction times, measured in a population of knownlocal users).

Embodiments of the present invention may be utilized with a variety ofdevices or systems having a touch-screen or a touch-sensitive surface;for example, a smartphone, a cellular phone, a mobile phone, asmart-watch, a tablet, a handheld device, a portable electronic device,a portable gaming device, a portable audio/video player, an AugmentedReality (AR) device or headset or gear, a Virtual Reality (VR) device orheadset or gear, a “kiosk” type device, a vending machine, an AutomaticTeller Machine (ATM), a laptop computer, a desktop computer, a vehicularcomputer, a vehicular dashboard, a vehicular touch-screen, or the like.

The system(s) and/or device(s) of the present invention may optionallycomprise, or may be implemented by utilizing suitable hardwarecomponents and/or software components; for example, processors,processor cores, Central Processing Units (CPUs), Digital SignalProcessors (DSPs), circuits, Integrated Circuits (ICs), controllers,memory units, registers, accumulators, storage units, input units (e.g.,touch-screen, keyboard, keypad, stylus, mouse, touchpad, joystick,trackball, microphones), output units (e.g., screen, touch-screen,monitor, display unit, audio speakers), acoustic microphone(s) and/orsensor(s), optical microphone(s) and/or sensor(s), laser or laser-basedmicrophone(s) and/or sensor(s), wired or wireless modems or transceiversor transmitters or receivers, GPS receiver or GPS element or otherlocation-based or location-determining unit or system, network elements(e.g., routers, switches, hubs, antennas), and/or other suitablecomponents and/or modules.

The system(s) and/or devices of the present invention may optionally beimplemented by utilizing co-located components, remote components ormodules, “cloud computing” servers or devices or storage, client/serverarchitecture, peer-to-peer architecture, distributed architecture,and/or other suitable architectures or system topologies or networktopologies.

In accordance with embodiments of the present invention, calculations,operations and/or determinations may be performed locally within asingle device, or may be performed by or across multiple devices, or maybe performed partially locally and partially remotely (e.g., at a remoteserver) by optionally utilizing a communication channel to exchange rawdata and/or processed data and/or processing results.

Some embodiments may be implemented by using a special-purpose machineor a specific-purpose device that is not a generic computer, or by usinga non-generic computer or a non-general computer or machine. Such systemor device may utilize or may comprise one or more components or units ormodules that are not part of a “generic computer” and that are not partof a “general purpose computer”, for example, cellular transceivers,cellular transmitter, cellular receiver, GPS unit, location-determiningunit, accelerometer(s), gyroscope(s), device-orientation detectors orsensors, device-positioning detectors or sensors, or the like.

Some embodiments may be implemented as, or by utilizing, an automatedmethod or automated process, or a machine-implemented method or process,or as a semi-automated or partially-automated method or process, or as aset of steps or operations which may be executed or performed by acomputer or machine or system or other device.

Some embodiments may be implemented by using code or program code ormachine-readable instructions or machine-readable code, which may bestored on a non-transitory storage medium or non-transitory storagearticle (e.g., a CD-ROM, a DVD-ROM, a physical memory unit, a physicalstorage unit), such that the program or code or instructions, whenexecuted by a processor or a machine or a computer, cause such processoror machine or computer to perform a method or process as describedherein. Such code or instructions may be or may comprise, for example,one or more of: software, a software module, an application, a program,a subroutine, instructions, an instruction set, computing code, words,values, symbols, strings, variables, source code, compiled code,interpreted code, executable code, static code, dynamic code; including(but not limited to) code or instructions in high-level programminglanguage, low-level programming language, object-oriented programminglanguage, visual programming language, compiled programming language,interpreted programming language, C, C++, C#, Java, JavaScript, SQL,Ruby on Rails, Go, Cobol, Fortran, ActionScript, AJAX, XML, JSON, Lisp,Eiffel, Verilog, Hardware Description Language (HDL, BASIC, VisualBASIC, Matlab, Pascal, HTML, HTML5, CSS, Perl, Python, PHP, machinelanguage, machine code, assembly language, or the like.

Some embodiments of the present invention may perform steps oroperations such as, for example, “determining”, “identifying”,“comparing”, “checking”, “querying”, “searching”, “matching”, and/or“analyzing”, by utilizing, for example: a pre-defined threshold value towhich one or more parameter values may be compared; a comparison between(i) sensed or measured or calculated value(s), and (ii) pre-defined ordynamically-generated threshold value(s) and/or range values and/orupper limit value and/or lower limit value and/or maximum value and/orminimum value; a comparison or matching between sensed or measured orcalculated data, and one or more values as stored in a look-up table ora legend table or a list of reference value(s) or a database ofreference values or ranges; a comparison or matching or searchingprocess which searches for matches and/or identical results and/orsimilar results and/or sufficiently-close results, among multiple valuesor limits that are stored in a database or look-up table; utilization ofone or more equations, formula, weighted formula, and/or othercalculation in order to determine similarity or a match between or amongparameters or values; utilization of comparator units, lookup tables,threshold values, conditions, conditioning logic, Boolean operator(s)and/or other suitable components and/or operations.

Some embodiments may comprise, or may be implemented by using, an “app”or application which may be downloaded or obtained from an “app store”or “applications store”, for free or for a fee, or which may bepre-installed on a computing device or electronic device, or which maybe transported to and/or installed on such computing device orelectronic device.

While certain features of the present invention have been illustratedand described herein, many modifications, substitutions, changes, andequivalents may occur to those skilled in the art. Accordingly, theclaims are intended to cover all such modifications, substitutions,changes, and equivalents.

What is claimed is:
 1. A method comprising: (a) monitoring multipleinteractions of a particular user that utilizes an electronic device toaccess a particular bank account; (b) performing an analysis that isbased on at least one of: (b1) data of transactions submitted forexecution in said particular bank account, (b2) user-specific behavioraldata indicating a behavioral manner in which said particular userutilizes said electronic device, extracted from monitored interactionsand monitored gestures of said particular user, (b3) data about one ormore operational properties of said electronic device, (b4) one or moresignals captured from a communication channel between said electronicdevice and a server associated with said particular bank account; (c)based on said analysis, generating a notification alert that said onlinebank account is used as a mule bank account or as a money launderingbank account or as a terror-funding bank account.
 2. The method of claim1, wherein the analysis of step (b) comprises: (A) detecting that a setof banking operations comprise: (i) a first funds transfer from a firstbank account to a second bank account, followed by (ii) a second fundstransfer from the second bank account to a third bank account; (B)analyzing (I) a first set of user interactions that were performed in afirst usage session in which funds were transferred out from the firstbank account, and also (II) a second set of user interactions that wereperformed in a second usage session in which funds were transferred outfrom the second bank account to the third bank account; and detecting aset of user-specific features that appear in both the first set of userinteractions and the second set of user interactions; (C) based on thedetecting of step (B), performing: (C1) determining that said first bankaccount was a victim bank account, and (C2) determining that said secondbank account was used as a mule bank account, and (C3) determining thatsaid third bank account was used as a real destination bank account. 3.The method of claim 1, wherein the analysis of step (b) comprises: (A)monitoring and analyzing user interactions during multiple, different,usage sessions in which said online bank account was accessed; (B) basedon step (A), creating a plurality of user-specific profiles thatcorrespond to a plurality of users that accessed said online bankaccount, and generating an estimated number of said plurality of usersthat accessed said online bank account; (C) based on step (B),determining that said target bank account is used as a mule bank accountto illegally receive and transfer money.
 4. The method of claim 1,wherein the analysis of step (b) comprises: (A) monitoring and analyzinguser interactions during multiple usage sessions in which said onlinebank account was accessed; (B) detecting that the user interactions insaid multiple usage session, comprise: (i) an incoming funds transfer,and (ii) a subsequent outgoing funds transfer, and (iii) lack of cashwithdrawals, and (iv) lack of check withdrawals; (C) based on thedetecting of said (B), determining that said online bank account wasused as a mule bank account to illegally receive and transfer money. 5.The method of claim 1, wherein the analysis of step (b) comprises: (A)receiving a list of bank accounts that are known to be mule bankaccounts; analyzing user interactions that were performed via inputunits of computing devices by users that accessed said mule bankaccounts; and extracting a set of interaction features that characterizethe user interactions across multiple mule bank accounts; (B)subsequently, checking whether user interactions in a particular bankaccount, match said set of interaction features that were extracted instep (A); and if the checking result is positive, then determining thatsaid particular bank account was used as a mule bank account toillegally receive and transfer money.
 6. The method of claim 1, whereinthe analysis of step (b) comprises: (A) based on analysis ofcommunications latency in a communication channel between said computingdevice and a remote server, determining that said user is locatedremotely from said computing device and is controlling remotely saidcomputing device via said remote access channel; (B) based on detectionof utilization of said remote access channel, determining that saidonline banking account is used as a mule bank account to illegallyreceive and transfer money.
 7. The method of claim 1, wherein theanalysis of step (b) comprises: (A) sampling touch-based gestures of atouch-screen of said computing device; (B) sampling accelerometer, gyroand device orientation data of said computing device, during a timeperiod which at least partially overlaps said sampling of touch-basedgestures of the touch-screen of the computing device; (C) based on amismatch between (i) sampled touch-based gestures, and (ii) sampledaccelerometer, gyro and device orientation data, determining that thecomputing device was controlled remotely via a remote access channel;(D) based on detection of utilization of said remote access channel,determining that said online banking account is used as a mule bankaccount to illegally receive and transfer money.
 8. The method of claim1, wherein the analysis of step (b) comprises: (A) sampling interactionsof said user with said computing device during multiple online accessesto said banking account, and creating a user-specific profile of theinteraction of said user with an input unit of said computing device;(B) matching said user-specific profile with interactions of said userwith said banking account via an electronic device that is differentfrom said computing device; (C) based on said matching, determining thatsaid online banking account is used as a mule bank account to illegallyreceive and transfer money.
 9. The method of claim 1, wherein theanalysis of step (b) comprises: (A) monitoring and analyzinginteractions of said user, who utilizes said computing device totransfer funds from said online banking account to a target bankingaccount that is not accessed by said computing device; and creating afirst user-specific profile based on said interactions monitored andanalyzed in step (A); (B) monitoring and analyzing interactions ofanother user, who utilizes another computing device to access saidtarget bank account; and creating a second user-specific profile basedon said interactions monitored and analyzed in step (B); (C) determininga match between the first user-specific profile and the seconduser-specific profile; (D) based on said match, determining that saidtarget bank account is used as a mule bank account to illegally receiveand transfer money.
 10. The method of claim 1, wherein the analysis ofstep (b) comprises: (A) monitoring and analyzing user interactionsduring usage sessions in which said online bank account was accessed,and generating a primary user-specific interaction profile thatcharacterizes the interactions of said user with said online bankaccount; (B) monitoring and analyzing interactions of users during usagesessions in which other online bank account were accessed; andgenerating, respectively, a plurality of user-specific interactionprofiles; (C) detecting a match between (I) said primary user-specificinteraction profile that was generated in step (A), and (II) anotheruser-specific interaction profile that was generated in step (B)pertaining to another online bank account; (D) based on said match,determining that at least one bank account is utilized by said user as amule bank account to illegally receive and transfer money.
 11. Themethod of claim 1, wherein the analysis of step (b) comprises: (A)monitoring and analyzing user interactions during online accesses tomultiple different banking accounts; (B) based on step (A), determiningthat a particular banking account is accessed by a particular user whichalso accesses one or more other online banking accounts; (C) based thedetermining of step (B), determining that at least one bank account isutilized by said user as a mule bank account to illegally receive andtransfer money.
 12. The method of claim 1, wherein the analysis of step(b) comprises: (A) detecting that a first amount of money wastransferred from a first account to a second account; (B) detecting thata second amount of money, which is at least 50 percent of the firstamount of money, was transferred from the second account to a thirdaccount; (C) detecting that the second account was accessed via a RemoteAccess channel; (D) based cumulatively on the detecting of step (A) andthe detecting of step (B) and the detecting of step (C), determiningthat said second account is used as a mule bank account or as a moneylaundering bank account or as a terror-funding bank account.
 13. Themethod of claim 1, wherein the analysis of step (b) comprises: (A)detecting that a first amount of money was transferred from a firstaccount to a second account; (B) detecting that a second amount ofmoney, which is at least 50 percent of the first amount of money, wastransferred from the second account to a third account; (C) detectingthat the second account was accessed via a proxy server; (D) basedcumulatively on the detecting of step (A) and the detecting of step (B)and the detecting of step (C), determining that said second account isused as a mule bank account or as a money laundering bank account or asa terror-funding bank account.
 14. The method of claim 1, wherein theanalysis of step (b) comprises: (A) detecting that a first amount ofmoney was transferred from a first account to a second account; (B)detecting that a second amount of money, which is at least 50 percent ofthe first amount of money, was transferred from the second account to athird account; (C) detecting that the second account was accessed via aVirtual Machine; (D) based cumulatively on the detecting of step (A) andthe detecting of step (B) and the detecting of step (C), determiningthat said second account is used as a mule bank account or as a moneylaundering bank account or as a terror-funding bank account.
 15. Themethod of claim 1, wherein the analysis of step (b) further comprises,and is further based on: determining that (i) user-specific behavioralcharacteristics that are extracted from spatial orientation propertiesof a first electronic device that was used to access a first bankaccount, are similar beyond a pre-defined threshold value of similarityto (ii) user-specific behavioral characteristics, that are extractedfrom spatial orientation properties of a second, different, electronicdevice that was used to access a second, different, bank account. 16.The method of claim 1, wherein the analysis of step (b) furthercomprises, and is further based on: determining that (i) user-specificbehavioral characteristics that are extracted from accelerometer datasensed by a first electronic device that was used to access a first bankaccount, are similar beyond a pre-defined threshold value of similarityto (ii) user-specific behavioral characteristics, that are extractedfrom accelerometer data sensed by a second, different, electronic devicethat was used to access a second, different, bank account.
 17. Themethod of claim 1, wherein the analysis of step (b) further comprises,and is further based on: determining that (i) user-specific behavioralcharacteristics that are extracted from gyroscope data sensed by a firstelectronic device that was used to access a first bank account, aresimilar beyond a pre-defined threshold value of similarity to (ii)user-specific behavioral characteristics, that are extracted fromgyroscope data sensed by a second, different, electronic device that wasused to access a second, different, bank account.
 18. The method ofclaim 1, wherein the analysis of step (b) further comprises, and isfurther based on: determining that (i) user-specific behavioralcharacteristics that are extracted from (I) gyroscope data and (II)accelerometer data and (III) spatial orientation data sensed by a firstelectronic device that was used to access a first bank account, aresimilar beyond a pre-defined threshold value of similarity to (ii)user-specific behavioral characteristics, that are extracted from (I)gyroscope data and (II) accelerometer data and (III) spatial orientationdata sensed by a second, different, electronic device that was used toaccess a second, different, bank account.
 19. A non-transitory storagemedium having stored thereon instructions that, when executed by amachine, cause the machine to perform a method comprising: (a)monitoring multiple interactions of a particular user that utilizes anelectronic device to access a particular bank account; (b) performing ananalysis that is based on at least one of: (b1) data of transactionssubmitted for execution in said particular bank account, (b2)user-specific behavioral data indicating a behavioral manner in whichsaid particular user utilizes said electronic device, extracted frommonitored interactions and monitored gestures of said particular user,(b3) data about one or more operational properties of said electronicdevice, (b4) one or more signals captured from a communication channelbetween said electronic device and a server associated with saidparticular bank account; (c) based on said analysis, generating anotification alert that said online bank account is used as a mule bankaccount or as a money laundering bank account or as a terror-fundingbank account.
 20. A system comprising: one or more hardware processors,configured to execute code; one or more memory units, configured tostore code; wherein the one or more hardware processors are configuredto perform a process comprising: (a) monitoring multiple interactions ofa particular user that utilizes an electronic device to access aparticular bank account; (b) performing an analysis that is based on atleast one of: (b1) data of transactions submitted for execution in saidparticular bank account, (b2) user-specific behavioral data indicating abehavioral manner in which said particular user utilizes said electronicdevice, extracted from monitored interactions and monitored gestures ofsaid particular user, (b3) data about one or more operational propertiesof said electronic device, (b4) one or more signals captured from acommunication channel between said electronic device and a serverassociated with said particular bank account; (c) based on saidanalysis, generating a notification alert that said online bank accountis used as a mule bank account or as a money laundering bank account oras a terror-funding bank account.